Ensure that S3 Bucket is encrypted at rest
Ensure that S3 Buckets have server-side encryption enabled, to protect your data at rest.
Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.65
Category: Storage
GSL LOGIC
S3Bucket should not have encryption.serverSideEncryptionRules isEmpty()
REMEDIATION
From Portal
- Go to 'S3'
- For each incompliant S3 Bucket:
- Go to the 'Properties' tab
- Under 'Default encryption', choose 'Edit'
- Enable and set 'Server-side encryption' and set encryption
- Save changes
From TF
To configure encryption for an S3 Bucket, set the 'aws_s3_bucket_server_side_encryption_configuration' block:
resource "aws_s3_bucket_server_side_encryption_configuration" "example_encryption_configuration" {
bucket = S3-BUCKET-REFERENCE
..
rule {
apply_server_side_encryption_by_default {
...
}
}
..
}
From Command Line
To configure encryption for an S3 Bucket, use:
aws s3api put-bucket-encryption --bucket BUCKET-NAME --server-side-encryption-configuration JSON-CONFIGURATION
References
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-encryption.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CCPA Framework
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- AWS Security Risk Management
Updated over 1 year ago