Ensure that S3 Buckets are encrypted with CMK
Ensure that S3 Buckets have server-side encryption at rest enabled, and are using customer-managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage.
Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.03
Category: Storage
GSL LOGIC
S3Bucket should have encryption.serverSideEncryptionRules contain [ getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('isCustomerManaged') and getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('enabled') ]
REMEDIATION
From Portal
- Go to 'S3'
- For each incompliant S3 Bucket:
- Go to the 'Properties' tab
- Under 'Default encryption', choose 'Edit'
- Make sure 'Server-side encryption' is set to 'Enable'
- Set 'Encryption key type' to 'AWS Key Management Service key'
- Configure your AWS KMS CMK key
- Save changes
From TF
To use kms key encryption for s3 bucket, use following configuration:
resource "aws_s3_bucket" "example_bucket" {
...
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = KMS_CMK_ARN
sse_algorithm = "aws:kms"
}
}
}
}
From Command Line
To enable kms key encryption for s3 bucket, run:
aws s3api aws s3api put-bucket-encryption --bucket BUCKET-NAME --server-side-encryption-configuration ENCRYPTION-CONFIGURATION
References
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
- https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-encryption.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CCPA Framework
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS Dashboard System Ruleset
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
Updated over 1 year ago