Ensure that S3 Bucket is encrypted at rest

Ensure that S3 Buckets have server-side encryption enabled, to protect your data at rest.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.65
Category: Storage


S3Bucket should not have encryption.serverSideEncryptionRules isEmpty()


From Portal

  1. Go to 'S3'
  2. For each incompliant S3 Bucket:
  3. Go to the 'Properties' tab
  4. Under 'Default encryption', choose 'Edit'
  5. Enable and set 'Server-side encryption' and set encryption
  6. Save changes

From TF
To configure encryption for an S3 Bucket, set the 'aws_s3_bucket_server_side_encryption_configuration' block:

resource "aws_s3_bucket_server_side_encryption_configuration" "example_encryption_configuration" {
	rule {
		apply_server_side_encryption_by_default {

From Command Line
To configure encryption for an S3 Bucket, use:

aws s3api put-bucket-encryption --bucket BUCKET-NAME --server-side-encryption-configuration JSON-CONFIGURATION


  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-encryption.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management