Open menu

S3 Buckets Encrypted with Customer-Provided CMKs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS S3 buckets are configured to use Server-Side Encryption with Customer-Provided Keys (SSE-C) instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process. Once the server-side encryption is configured to use customer-provided keys by default, Amazon S3 will automatically encrypt any new objects with the specified KMS CMK.

This rule resolution is part of the Cloud Conformity Tool

Using Server-Side Encryption with Customer-Provided Keys (SSE-C) allows you to set your own encryption keys, therefore you have full control over who can use these encryption keys to access your Amazon S3 data. AWS Key Management Service (KMS) allows you to easily rotate, disable and audit the Customer Master Keys (CMKs) configured for your Amazon S3 buckets.

Audit

To determine the encryption status and configuration for your AWS S3 buckets, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the S3 dashboard top menu to view bucket properties.

05 Click on the Default encryption box to access the default encryption settings and determine Server-Side Encryption (SSE) configuration available for the selected bucket:

  1. If None option is currently selected, the Server-Side Encryption (SSE) is not enabled by default for the selected Amazon S3 bucket. Follow the instructions outlined in this conformity rule to enable SSE for the selected bucket.
  2. If AES-256 option is selected, the S3 bucket is configured to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), therefore the SSE configuration for the selected S3 bucket is not compliant.
  3. If AWS-KMS is selected, but the name of the KMS CMK used is aws/s3 (i.e. default key generated and managed by Amazon S3 service), the Server-Side Encryption (SSE) configuration for the selected S3 bucket is not compliant.
  4. If AWS-KMS option is selected, check the ARN available in the AWS-KMS dropdown list against the customer-provided AWS KMS CMK. If it is the default KMS Key, the SSE configuration for the selected Amazon S3 bucket is not compliant.

06 Repeat steps no. 3 – 5 to determine the encryption status and configuration for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS account:

aws s3api list-buckets 
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets:

[
    "cc-project5-analytics",
    "cc-project5-app-logs"
]

03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to examine as identifier and custom query filters to return the Server-Side Encryption configuration used by the selected AWS S3 bucket:

aws s3api get-bucket-encryption
	--bucket cc-project5-analytics
	--query 'ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault'

04 The command output should return one of the following results:

  1. If get-bucket-encryption command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the example below, the Server-Side Encryption (SSE) is not enabled by default for the selected Amazon S3 bucket. Follow the instructions outlined in this conformity rule to enable SSE for the selected bucket:
    An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found.
    
  2. If command output returns "AES256" as value for the "SSEAlgorithm" configuration attribute, the S3 bucket is configured to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), therefore the SSE configuration for the selected AWS S3 bucket is not compliant:
    [
        {
            "SSEAlgorithm": "AES256"
        }
    ]
    
  3. If command output returns "aws:kms" as value for the "SSEAlgorithm" attribute, and it is the default KMS key, the selected Amazon S3 bucket is not compliant

05 Repeat step no. 3 and 4 to determine the encryption status and configuration for other S3 buckets available within your AWS account.

Remediation / Resolution

To encrypt objects using customer-provided AWS KMS CMKs, perform the following:

Case A: To configure your Amazon S3 buckets to encrypt objects with existing customer-provided AWS KMS CMKs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Properties tab from the S3 dashboard top menu to access the bucket properties.

05 Click on the Default encryption box, choose AWS-KMS option and select your own AWS KMS Customer Master Key, from Select a key dropdown list. Click Save to apply the changes.

06 Repeat steps no. 3 – 5 to configure Server-Side Encryption with Customer-Provided Keys (SSE-C) for other Amazon S3 buckets available in your AWS account.

Using AWS CLI

01 Define the required parameters for put-bucket-encryption command. Save the following parameters to a JSON file named sse-kms-config.json (replace the highlighted value, i.e. the Amazon KMS CMK ARN with your own key ARN):

{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
                "SSEAlgorithm": "aws:kms"
            }
        }
    ]
}

02 Run put-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure as identifier and the command parameters created at the previous step, to enable Server-Side Encryption with Customer-Provided Keys (SSE-C) for the selected AWS S3 bucket (the command does not produce an output):

aws s3api put-bucket-encryption
	--bucket cc-project5-analytics
	--server-side-encryption-configuration file://sse-kms-config.json

03 Repeat step no. 1 and 2 to configure Server-Side Encryption with Customer-Provided Keys (SSE-C) for other S3 buckets available within your AWS account.

Case B: To configure your Amazon S3 buckets to encrypt objects with a new customer-provided AWS KMS CMK, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where your non-compliant S3 bucket is available).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt your S3 objects with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt your objects. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS service dashboard will display a confirmation message: “Your master key was created successfully. Alias: <cmk-alias>”.

12 Once the KMS CMK has been created, navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

13 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

14 Select the Properties tab from the S3 dashboard top menu to access the bucket properties.

15 Click on the Default encryption box, choose AWS-KMS and select the AWS KMS Customer Master Key (CMK) created earlier, from Select a key dropdown list. Click Save to apply the changes.

16 Repeat steps no. 13 – 15 to configure Server-Side Encryption with Customer-Provided Keys (SSE-C) for other Amazon S3 buckets available in your AWS account.

Using AWS CLI

01 Create the access policy that enables your selected IAM users and/or roles to manage the new KMS Customer Master Key and encrypt S3 objects using the Amazon KMS API. Create a new policy document, name it s3-sse-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Version": "2012-10-17",
  "Id": "s3-sse-customer-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/AmazonS3Manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/S3Admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/S3Admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step as command parameter to create the new AWS KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'KMS CMK for AWS S3-SSE.'
	--policy file://s3-sse-cmk-policy.json

03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for S3 data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "Description": "KMS CMK for AWS S3-SSE",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517237644.260,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/S3CustomerCMK
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

05 Define the necessary parameters for put-bucket-encryption command. Save the following parameters to a JSON file named sse-kms-config.json (replace the highlighted value, i.e. the Amazon KMS CMK ARN with the ARN of the Customer Master Key created at the previous steps):

{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
                "SSEAlgorithm": "aws:kms"
            }
        }
    ]
}

06 Run put-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure as identifier (see Audit section part II to identify the right bucket) and the command parameters defined at the previous step, to enable Server-Side Encryption with Customer-Provided Keys (SSE-C) for the selected AWS S3 bucket (the command does not return an output):

aws s3api put-bucket-encryption
	--bucket cc-project5-analytics
	--server-side-encryption-configuration file://sse-kms-config.json

07 Repeat step no. 5 and 6 to configure Server-Side Encryption with Customer-Provided Keys (SSE-C) for other S3 buckets available in your AWS account.

References

Publication date Feb 13, 2019