Unencrypted AWS S3 Buckets
Risk level: High
Rule ID: S3-001
S3 Buckets should be encrypted to keep your stored data secure. nOps recommends you encrypt your AWS S3 Buckets to protect data at rest. This can be accomplished using AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS) for Server-Side Encryption.
This rule can help you with the following:
Compliance frameworks
- SOC 2 Readiness Report
- HIPAA Readiness Report
- CIS Readiness Report
AWS Well-Architected Lens
- AWS Well-Architected Framework Lens
- FTR Lens
AWS S3 default encryption setting directs AWS to automatically encrypt your S3 data as it is stored in S3 buckets to prevent unauthorized attackers from accessing it.
Audit
Perform the following steps to find out if your AWS S3 buckets have the Default Encryption feature activated:
Using AWS Console
1. Log in to the Management Console and access the S3 dashboard.
2. Click the linked S3 bucket name you intend to check its configuration.
3. From the top menu, select the Properties tab and verify the Default encryption feature state.
If the Default encryption status shows Disabled as shown in the screenshot below, it means the automatic default encryption feature is turned off.
4. Perform steps 2 and 3 on other S3 buckets you wish to confirm their Default encryption status.
Using AWS CLI
1. Run theget-bucket-encryption command using the name of the intended S3 bucket as identifier to retrieve the Default Encryption feature status for the selected bucket:
aws s3api get-bucket-encryption \\
--bucket ncode.demo
2. You should either get the desired configuration details or a ServerSideEncryptionConfigurationNotFoundError error message which means the default encryption feature has not been activated. Below is the sample error message you should expect:
An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found
3. Repeat steps 1 and 2 for all provisioned S3 buckets you wish to ascertain their default encryption status.
Remediation
Using AWS Console
1. Log in to the Management Console and access the S3 dashboard.
2. Click the linked S3 bucket name you intend to check its configuration (Similarly to what we did in the Audit section).
3. From the top menu, select the Properties tab and scroll down to the Default encryption section.
4. Click the Enable radio button and the Encryption key type dialog box will appear. Select one of the following options, based on your encryption requirements:
a. Select AES-256 option to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt your S3 objects automatically at upload.
b. Select the AWS-KMS option to use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) to encrypt your S3 objects. If you choose this option, you must select a KMS-managed key from the Select a key dropdown list or provide the ARN of your custom key inside the Custom KMS ARN box.
You can also enable or disable a Bucket Key to reduce encryption costs.
4. Click Save to apply the changes and enable default encryption for the selected Amazon S3 bucket.
5. Repeat steps 2 - 4 to enable the Default Encryption feature for other provisioned S3 buckets in your AWS account.
Using AWS CLI
To activate the default encryption feature for your provisioned S3 buckets through the AWS CLI, run one of the following commands, depending on your choice of encryption:
1. Run the put-bucket-encryption command to activate Server-Side Encryption for the specified S3 bucket using with Amazon S3-Managed Keys (SSE-S3):
aws s3api put-bucket-encryption \\
--bucket ncode.demo \\
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}'
Upon execution, the command successfully enables the default encryption feature. However, it does not generate any output.
OR
2. Run the put-bucket-encryption command to activate Server-Side Encryption for the specified S3 bucket using AWS KMS-Managed Keys (SSE-KMS).
Note that you must provide the ARN of an AWS KMS-managed key as value for the KMSMasterKeyID parameter to use this encryption option. (e.g. arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd).
aws s3api put-bucket-encryption \\
--bucket ncode.demo \\
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd",
"SSEAlgorithm": "aws:kms"
}
}
]
}'
Upon execution, the command successfully enables the default encryption feature. However, it does not generate any output.
3. Repeat steps 2 and 3 for all provisioned S3 buckets you intend to enable their Default Encryption feature.
Still Need Help?
Come see why we are the #1 cloud management platform and why companies like Taco Bell, Dickey’s BBQ Pit, and Norwegian Cruise Line trust nOps to manage their cloud.
