Open menu
-->

Server Side Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS S3 buckets are protecting their sensitive data at rest by enforcing Server-Side Encryption

This rule resolution is part of the Cloud Conformity Security Package

When dealing with sensitive data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. Using S3 Server-Side Encryption (SSE) will enable Amazon to encrypt your data at the object level as it writes it to disks and decrypts it transparently for you when you access it. Note: Server-Side Encryption (SSE) utilizes one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your S3 objects.

Audit

To determine if your Amazon S3 buckets have Server-Side Encryption enabled for their objects, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tabs

04 Inside the Properties tab, click Permissions to expand the bucket permissions configuration panel.

05 Now click Edit bucket policy to access the bucket policy currently in use. If the selected bucket does not have an access policy defined yet, skip the next step and declare the Audit process completed.

06 Inside the Bucket Policy Editor dialog box, verify the policy document for the following element: "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } }. When this condition is added to the bucket access policy, Amazon will encrypt your data by adding the x-amz-server-side-encryption header to the upload request. If this condition is not defined within your bucket policy, the selected S3 bucket does not have Server-Side Encryption enabled, therefore your S3 data is not encrypted at rest.

07 Repeat steps no. 3 - 6 to verify the access policy for other S3 buckets provisioned within your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:

aws s3api list-buckets
    --query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets:

[
    "cc-client-data",
    "cc-data-reports",
    "cc-app-media-library"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) to retrieve the bucket policy defined for selected bucket and put its content into a JSON file named s3-bucket-access-policy.json (the command does not produce an output):

aws s3api get-bucket-policy
    --bucket cc-client-data
    --query Policy
    --output text > s3-bucket-access-policy.json

04 The command response should be one of the following:

  1. If the selected S3 bucket does not have an access policy currently in use the response should be an NoSuchBucketPolicy error:
    An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist
    
  2. If the selected S3 bucket does have an access policy defined, the command will not produce an output on your terminal but it will copy the policy document to the s3-bucket-access-policy.json file. Open the policy in your preferred editor and verify it for the following element: "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } }. When this condition is added to the bucket access policy, Amazon will encrypt your data by adding the x-amz-server-side-encryption header to the upload request. If this condition is not defined within your bucket policy, the selected S3 bucket does not have the Server-Side Encryption feature enabled, therefore the data stored on the bucket is not encrypted.

Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your S3 buckets via access policies, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource) and click the Properties tab from the dashboard top right menu:

Properties tabs

04 Inside the Properties tab, click Permissions to expand the bucket permissions settings panel.

05 Click the Edit bucket policy button to edit the bucket policy currently in use. If the selected bucket does not have an access policy defined yet, click Add bucket policy.

06 In the Bucket Policy Editor dialog box, perform one of the following actions based on your current configuration:

  1. If there is no access policy currently in use, paste the following policy document in the Bucket Policy Editor box, replace the bucket name, i.e. cc-client-data, with the name of your own S3 bucket then click Save. This policy will enforce the owner and the users that have access to the bucket to enable Server-Side Encryption for every object uploaded via Management Console or via AWS API:
    {
      "Version": "2012-10-17",
      "Id": "PutObjPolicy",
      "Statement": [
        {
          "Sid": "DenyIncorrectEncryptionHeader",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "StringNotEquals": {
              "s3:x-amz-server-side-encryption": "AES256"
            }
          }
        },
        {
          "Sid": "DenyUnEncryptedObjectUploads",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "Null": {
              "s3:x-amz-server-side-encryption": "true"
            }
          }
        }
      ]
    }
    
    
    
    
    			
  2. If the selected bucket has already an access policy implemented, append the following policy statements (highlighted) to the existing ones available within the Bucket Policy Editor box, as shown in the following example:
    {
      "Id": "S3BucketAccessPolicy",
      "Version": "2012-10-17",
      "Statement": [
        {
    
          ...
    
        },
        {
          "Sid": "DenyIncorrectEncryptionHeader",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "StringNotEquals": {
              "s3:x-amz-server-side-encryption": "AES256"
            }
          }
        },
        {
          "Sid": "DenyUnEncryptedObjectUploads",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "Null": {
              "s3:x-amz-server-side-encryption": "true"
            }
          }
        }
      ]
    }
    

    Replace the bucket name, i.e. cc-client-data, with the name of your own bucket then click the Save button to apply the policy changes. This policy will enforce the owner and the users that have access to the bucket to enable Server-Side Encryption for every object uploaded via Management Console, via CLI or programmatically via AWS API.

07 To test the Server-Side Encryption feature implementation, perform the following actions:

  1. Select the SSE-enabled S3 bucket and click the Upload button from the dashboard top menu.
  2. In the Upload - Select Files and Folders dialog box, click Add files to upload a simple text file.
  3. Click Set Details button to set additional details for the object uploaded at the previous step.
  4. On the Set Details page, check Use Server Side Encryption checkbox then click Start Upload to upload the file to your bucket. If your file is uploaded to S3 without returning any errors during the process, the Server-Side Encryption has been successfully enabled.

08 Repeat steps no. 3 - 7 to enable SSE for other S3 buckets available in your AWS account.

Using AWS CLI

01 First, define the access policy that will enforce the bucket owner and the users that have access to it to enable Server-Side Encryption for every object uploaded via Management Console, CLI or AWS API. Paste the following policy document in a JSON file named s3-sse-access-policy.json, replace the bucket name, i.e. cc-client-data, with the name of your bucket then save the file. If your bucket has already an access policy implemented, append only the highlighted blocks to the existing policy Statement element:

{
  "Version": "2012-10-17",
  "Id": "PutSSEObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-client-data/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-client-data/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy created at the previous step, i.e. s3-sse-access-policy.json, to the selected S3 bucket (the command does not produce an output):

aws s3api put-bucket-policy
    --bucket cc-client-data
    --policy file://s3-sse-access-policy.json

03 To test the Server-Side Encryption feature implementation via AWS CLI, upload a simple text file (e.g. cc-client-profile.txt) using s3 sync command (OSX/Linux/UNIX) with the --sse parameter, as shown in the example below. If the command is executed without returning any errors, the Server-Side Encryption has been successfully enabled:

aws s3 sync /app/data/cc-client-profile.txt s3://cc-client-data/ --sse

04 Repeat steps no. 1 - 3 to enable Server-Side Encryption for other S3 buckets available in your AWS account.

References

Publication date Jan 31, 2017