S3 Bucket Default Encryption
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in Amazon S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel. Without S3 default encryption, to encrypt all objects stored in a bucket, you must include encryption information (i.e. "x-amz-server-side-encryption" header) with every object storage request, as described by the Server Side Encryption (SSE) conformity rule. Also, to encrypt S3 objects without default encryption, you must set up a bucket policy to deny storage requests that don`t include the encryption information.
To determine if your Amazon S3 buckets have Default Encryption feature enabled, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.
04 Select the Properties tab from the S3 dashboard top menu and check the Default encryption feature status. If the feature status is set to Disabled, the default encryption is not currently enabled, therefore the selected AWS S3 bucket does not encrypt automatically all objects at upload.
05 Repeat step no. 3 and 4 to check Default Encryption feature status for other S3 buckets available in your AWS account.
01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:
aws s3api list-buckets --query 'Buckets[*].Name'
02 The command output should return the names of your S3 buckets:
[
"cloud-conformity-media",
"cloud-conformity-api-docs",
"cloud-conformity-reports"
]
03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to retrieve the Default Encryption feature status for the selected bucket:
aws s3api get-bucket-encryption --bucket cloud-conformity-media
04 The command output should return the requested feature configuration details or the ServerSideEncryptionConfigurationNotFoundError error message if the feature is not currently enabled:
An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found.
05 Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.
To enable default encryption for your existing Amazon S3 buckets, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).
04 Select the Properties tab from the S3 dashboard top menu and click on the Default encryption feature configuration box.
05 Inside Default encryption configuration box, select one of the following options, based on your encryption requirements:
06 Click Save to apply the changes and enable default encryption for the selected Amazon S3 bucket.
07 Repeat steps no. 3 – 6 to enable Default Encryption feature for other S3 buckets available in your AWS account.
01 To enable default encryption for your existing S3 buckets using AWS CLI, execute one of the following command requests, based on your encryption requirements:
aws s3api put-bucket-encryption
--bucket cloud-conformity-media
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}'
aws s3api put-bucket-encryption
--bucket cloud-conformity-media
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd",
"SSEAlgorithm": "aws:kms"
}
}
]
}'
02 Repeat steps no. 1 to enable Default Encryption feature for other S3 buckets available in your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat