|   Trend Micro Cloud One™
Open menu

Server Side Encryption

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 04 August 2020
Risk level: High (should be achieved)
Rule ID: S3-016

Ensure that your AWS S3 buckets are protecting their sensitive data at rest by enforcing Server-Side Encryption

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

When dealing with sensitive data that is crucial to your business, it is highly recommended to implement encryption in order to protect it from attackers or unauthorized personnel. Using S3 Server-Side Encryption (SSE) will enable Amazon to encrypt your data at the object level as it writes it to disks and decrypts it transparently for you when you access it. SSE can be enabled using either Policy Conditions or Default Encryption methods outlined below.

Note: Server-Side Encryption (SSE) utilizes one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your S3 objects.

Audit

To determine if your Amazon S3 buckets have Server-Side Encryption enabled for their objects, perform the following:

Using AWS Console

Policy Conditions

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tabs

04 Inside the Properties tab, click Permissions to expand the bucket permissions configuration panel.

05 Now click Edit bucket policy to access the bucket policy currently in use. If the selected bucket does not have an access policy defined yet, skip the next step and declare the Audit process completed.

06 Inside the Bucket Policy Editor dialog box, verify the policy document for the following element: "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } }. When this condition is added to the bucket access policy, Amazon will encrypt your data by adding the x-amz-server-side-encryption header to the upload request. If this condition is not defined within your bucket policy, the selected S3 bucket does not have Server-Side Encryption enabled, therefore your S3 data is not encrypted at rest.

07 Repeat steps no. 3 - 6 to verify the access policy for other S3 buckets provisioned within your AWS account.

Default Encryption

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to examine to access the bucket configuration.

04 Select the Properties tab from the S3 dashboard top menu and check the Default encryption feature status. If the feature status is set to Disabled, the default encryption is not currently enabled, therefore the selected AWS S3 bucket does not encrypt automatically all objects at upload.

05 Repeat step no. 3 and 4 to check Default Encryption feature status for other S3 buckets available in your AWS account.

Using AWS CLI

Policy Conditions

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:

aws s3api list-buckets
    --query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets:

[
    "cc-client-data",
    "cc-data-reports",
    "cc-app-media-library"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) to retrieve the bucket policy defined for selected bucket and put its content into a JSON file named s3-bucket-access-policy.json (the command does not produce an output):

aws s3api get-bucket-policy
    --bucket cc-client-data
    --query Policy
    --output text > s3-bucket-access-policy.json

04 The command response should be one of the following:

  1. If the selected S3 bucket does not have an access policy currently in use the response should be an NoSuchBucketPolicy error:
    An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist
    
  2. If the selected S3 bucket does have an access policy defined, the command will not produce an output on your terminal but it will copy the policy document to the s3-bucket-access-policy.json file. Open the policy in your preferred editor and verify it for the following element: "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } }. When this condition is added to the bucket access policy, Amazon will encrypt your data by adding the x-amz-server-side-encryption header to the upload request. If this condition is not defined within your bucket policy, the selected S3 bucket does not have the Server-Side Encryption feature enabled, therefore the data stored on the bucket is not encrypted.

Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Default Encryption

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets available in your AWS account:

        aws s3api list-buckets
        --query 'Buckets[*].Name'
        

02 The command output should return the names of your S3 buckets:

        [
        "cloud-conformity-media",
        "cloud-conformity-api-docs",
        "cloud-conformity-reports"
        ]
        

03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier to retrieve the Default Encryption feature status for the selected bucket:

        aws s3api get-bucket-encryption
        --bucket cloud-conformity-media
        

04 The command output should return the requested feature configuration details or the ServerSideEncryptionConfigurationNotFoundError error message if the feature is not currently enabled:

        An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found.
        

If the get-bucket-encryption command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the output example above, the default encryption is not currently enabled, therefore the selected S3 bucket does not encrypt automatically all objects when stored in Amazon S3.

05 Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your S3 buckets via access policies, perform the following:

Using AWS Console

Policy Conditions

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource) and click the Properties tab from the dashboard top right menu:

Properties tabs

04 Inside the Properties tab, click Permissions to expand the bucket permissions settings panel.

05 Click the Edit bucket policy button to edit the bucket policy currently in use. If the selected bucket does not have an access policy defined yet, click Add bucket policy.

06 In the Bucket Policy Editor dialog box, perform one of the following actions based on your current configuration:

  1. If there is no access policy currently in use, paste the following policy document in the Bucket Policy Editor box, replace the bucket name, i.e. cc-client-data, with the name of your own S3 bucket then click Save. This policy will enforce the owner and the users that have access to the bucket to enable Server-Side Encryption for every object uploaded via Management Console or via AWS API:
    {
      "Version": "2012-10-17",
      "Id": "PutObjPolicy",
      "Statement": [
        {
          "Sid": "DenyIncorrectEncryptionHeader",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "StringNotEquals": {
              "s3:x-amz-server-side-encryption": "AES256"
            }
          }
        },
        {
          "Sid": "DenyUnEncryptedObjectUploads",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "Null": {
              "s3:x-amz-server-side-encryption": "true"
            }
          }
        }
      ]
    }
    
    
    
    
    			
  2. If the selected bucket has already an access policy implemented, append the following policy statements (highlighted) to the existing ones available within the Bucket Policy Editor box, as shown in the following example:
    {
      "Id": "S3BucketAccessPolicy",
      "Version": "2012-10-17",
      "Statement": [
        {
    
          ...
    
        },
        {
          "Sid": "DenyIncorrectEncryptionHeader",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "StringNotEquals": {
              "s3:x-amz-server-side-encryption": "AES256"
            }
          }
        },
        {
          "Sid": "DenyUnEncryptedObjectUploads",
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::cc-client-data/*",
          "Condition": {
            "Null": {
              "s3:x-amz-server-side-encryption": "true"
            }
          }
        }
      ]
    }
    

    Replace the bucket name, i.e. cc-client-data, with the name of your own bucket then click the Save button to apply the policy changes. This policy will enforce the owner and the users that have access to the bucket to enable Server-Side Encryption for every object uploaded via Management Console, via CLI or programmatically via AWS API.

07 To test the Server-Side Encryption feature implementation, perform the following actions:

  1. Select the SSE-enabled S3 bucket and click the Upload button from the dashboard top menu.
  2. In the Upload - Select Files and Folders dialog box, click Add files to upload a simple text file.
  3. Click Set Details button to set additional details for the object uploaded at the previous step.
  4. On the Set Details page, check Use Server Side Encryption checkbox then click Start Upload to upload the file to your bucket. If your file is uploaded to S3 without returning any errors during the process, the Server-Side Encryption has been successfully enabled.

08 Repeat steps no. 3 - 7 to enable SSE for other S3 buckets available in your AWS account.

Default Encryption

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click on the name (link) of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Properties tab from the S3 dashboard top menu and click on the Default encryption feature configuration box.

05 Inside Default encryption configuration box, select one of the following options, based on your encryption requirements:

  1. Select AES-256 option to use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) to encrypt your S3 objects automatically at upload.
  2. Select AWS-KMS option to use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) to encrypt your S3 objects. If you choose this option, you must select a KMS-managed key from Select a key dropdown list or provide the ARN of your custom key inside Custom KMS ARN box.

06 Click Save to apply the changes and enable default encryption for the selected Amazon S3 bucket.

07 Repeat steps no. 3 – 6 to enable Default Encryption feature for other S3 buckets available in your AWS account.

Using AWS CLI

Policy Conditions

01 First, define the access policy that will enforce the bucket owner and the users that have access to it to enable Server-Side Encryption for every object uploaded via Management Console, CLI or AWS API. Paste the following policy document in a JSON file named s3-sse-access-policy.json, replace the bucket name, i.e. cc-client-data, with the name of your bucket then save the file. If your bucket has already an access policy implemented, append only the highlighted blocks to the existing policy Statement element:

{
  "Version": "2012-10-17",
  "Id": "PutSSEObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-client-data/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-client-data/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the access policy created at the previous step, i.e. s3-sse-access-policy.json, to the selected S3 bucket (the command does not produce an output):

aws s3api put-bucket-policy
    --bucket cc-client-data
    --policy file://s3-sse-access-policy.json

03 To test the Server-Side Encryption feature implementation via AWS CLI, upload a simple text file (e.g. cc-client-profile.txt) using s3 sync command (OSX/Linux/UNIX) with the --sse parameter, as shown in the example below. If the command is executed without returning any errors, the Server-Side Encryption has been successfully enabled:

aws s3 sync /app/data/cc-client-profile.txt s3://cc-client-data/ --sse

04 Repeat steps no. 1 - 3 to enable Server-Side Encryption for other S3 buckets available in your AWS account.

Default Encryption

01 To enable default encryption for your existing S3 buckets using AWS CLI, execute one of the following command requests, based on your encryption requirements:

  1. Run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected S3 bucket using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) (the command does not produce an output):
              aws s3api put-bucket-encryption
              --bucket cloud-conformity-media
              --server-side-encryption-configuration '{
              "Rules": [
              {
              "ApplyServerSideEncryptionByDefault": {
              "SSEAlgorithm": "AES256"
              }
              }
              ]
              }'
              
  2. Or run put-bucket-encryption command (OSX/Linux/UNIX) to enable default encryption for the selected bucket using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). To use this encryption configuration, you must provide the ARN of an AWS KMS-managed key as value for the KMSMasterKeyID parameter (e.g. "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"). The put-bucket-encryption command request does not produce an output:
              aws s3api put-bucket-encryption
              --bucket cloud-conformity-media
              --server-side-encryption-configuration '{
              "Rules": [
              {
              "ApplyServerSideEncryptionByDefault": {
              "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd",
              "SSEAlgorithm": "aws:kms"
              }
              }
              ]
              }'
              

02 Repeat steps no. 1 to enable Default Encryption feature for other S3 buckets available in your AWS account.

References

Publication date Jan 31, 2017

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Server Side Encryption

Risk level: High