Unencrypted AWS S3 Buckets

Risk level: High

Rule ID: S3-001

Ensure that encryption is enabled at the bucket level to automatically encrypt all objects when stored in Amazon S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or un-authorized access. If you don't enable it, you must include encryption information (i.e. x-amz-server-side-encryption header) with every object storage request and you must also then set up a bucket policy to deny storage requests that don't include the encryption information.

Audit

To determine if your Amazon S3 buckets have Default Encryption feature enabled, perform the following:

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
 
3. Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.
 
4. Select the Properties tab from the S3 dashboard top menu and check the Default encryption feature status.

If the feature status is set to Disabled, the default encryption is not currently enabled, therefore the selected AWS S3 bucket does not encrypt automatically all objects at upload.


 
5. Repeat step no. 3 and 4 to check Default Encryption feature status for other S3 buckets available in your AWS account.
 

Using AWS CLI

1. Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket as identifier to retrieve the Default Encryption feature status for the selected bucket:

aws s3api get-bucket-encryption \\
	--bucket ncode.demo

 
2. The command output should return the requested feature configuration details or the ServerSideEncryptionConfigurationNotFoundError error message if the feature is not currently enabled:

An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found

If the get-bucket-encryption command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the output example above, the default encryption is not currently enabled, therefore the selected S3 bucket does not encrypt automatically all objects when stored in Amazon S3.
 
3. Repeat step no. 2 and 3 for each S3 bucket available in your AWS account.

Remediation / Resolution

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
 
3. Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).
 
4. Select the Properties tab from the S3 dashboard top menu and click on the Default encryption feature configuration box.
 
5. Inside Default encryption configuration box, select one of the following options, based on your encryption requirements:

a. Select AES-256 option to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt your S3 objects automatically at upload.

b. Select AWS-KMS option to use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) to encrypt your S3 objects. If you choose this option, you must select a KMS-managed key from Select a key dropdown list or provide the ARN of your custom key inside Custom KMS ARN box.

 
6. Click Save to apply the changes and enable default encryption for the selected Amazon S3 bucket.
 
7. Repeat steps no. 3 – 6 to enable Default Encryption feature for other S3 buckets available in your AWS account.

Using AWS CLI

To enable default encryption for your existing S3 buckets using AWS CLI, execute one of the following command requests, based on your encryption requirements:
 
1. Run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected S3 bucket using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) (the command does not produce an output):

aws s3api put-bucket-encryption \\
	--bucket ncode.demo \\
	--server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
            }
        }
    ]
}'

OR

2. Run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected bucket using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). To use this encryption configuration, you must provide the ARN of an AWS KMS-managed key as value for the KMSMasterKeyID parameter (e.g. arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd). The put-bucket-encryption command request does not produce an output:

aws s3api put-bucket-encryption \\
	--bucket ncode.demo \\
	--server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd",
                "SSEAlgorithm": "aws:kms"
            }
        }
    ]
}'

 
3. Repeat steps to enable Default Encryption feature for other S3 buckets available in your AWS account.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.