Logo of Trend Micro

S3 Bucket Default Encryption

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: S3-021

Ensure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in Amazon S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel. Without S3 default encryption, to encrypt all objects stored in a bucket, you must include encryption information (i.e. "x-amz-server-side-encryption" header) with every object storage request, as described by the Server Side Encryption (SSE) conformity rule. Also, to encrypt S3 objects without default encryption, you must set up a bucket policy to deny storage requests that don`t include the encryption information.

Audit

To determine if your Amazon S3 buckets have Default Encryption feature enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select the Properties tab from the S3 dashboard top menu and check the Default encryption feature status. If the feature status is set to Disabled, the default encryption is not currently enabled, therefore the selected AWS S3 bucket does not encrypt automatically all objects at upload.

05 Repeat step no. 3 and 4 to check Default Encryption feature status for other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets: 

[
    "cloud-conformity-media",
    "cloud-conformity-api-docs",
    "cloud-conformity-reports"
]

03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to retrieve the Default Encryption feature status for the selected bucket: 

aws s3api get-bucket-encryption
	--bucket cloud-conformity-media

04 The command output should return the requested feature configuration details or the ServerSideEncryptionConfigurationNotFoundError error message if the feature is not currently enabled: 

An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found.

If the get-bucket-encryption command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the output example above, the default encryption is not currently enabled, therefore the selected S3 bucket does not encrypt automatically all objects when stored in Amazon S3.

05 Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable default encryption for your existing Amazon S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Properties tab from the S3 dashboard top menu and click on the Default encryption feature configuration box.

05 Inside Default encryption configuration box, select one of the following options, based on your encryption requirements:

  1. Select AES-256 option to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt your S3 objects automatically at upload.
  2. Select AWS-KMS option to use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) to encrypt your S3 objects. If you choose this option, you must select a KMS-managed key from Select a key dropdown list or provide the ARN of your custom key inside Custom KMS ARN box.

06 Click Save to apply the changes and enable default encryption for the selected Amazon S3 bucket.

07 Repeat steps no. 3 – 6 to enable Default Encryption feature for other S3 buckets available in your AWS account.

Using AWS CLI

01 To enable default encryption for your existing S3 buckets using AWS CLI, execute one of the following command requests, based on your encryption requirements:

  1. Run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected S3 bucket using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) (the command does not produce an output): 
    aws s3api put-bucket-encryption
	--bucket cloud-conformity-media
	--server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
            }
        }
    ]
}'
  2. Or run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected bucket using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). To use this encryption configuration, you must provide the ARN of an AWS KMS-managed key as value for the KMSMasterKeyID parameter (e.g. "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"). The put-bucket-encryption command request does not produce an output: 
    aws s3api put-bucket-encryption
	--bucket cloud-conformity-media
	--server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd",
                "SSEAlgorithm": "aws:kms"
            }
        }
    ]
}'

02 Repeat steps no. 1 to enable Default Encryption feature for other S3 buckets available in your AWS account.

References

Publication date Dec 19, 2017

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Bucket Default Encryption

Risk level: High