Ensure All S3 Buckets Employ Encryption-at-Rest Rule
This rule mandates encryption-at-rest for all S3 buckets to enhance data security and compliance.
| Rule | Ensure all S3 buckets employ encryption-at-rest |
| Framework | cis_v150 |
| Severity | ✔ High |
Rule Description:
The rule ensures that all Amazon S3 buckets employ encryption-at-rest. Encryption-at-rest is a security measure that provides additional protection to the data stored in S3 buckets by encrypting it while at rest, making it unreadable to unauthorized individuals or systems.
This rule is aligned with CIS Amazon Web Services Foundations benchmark version 1.5.0 (cis_v150).
Troubleshooting Steps:
- 1.Check if the S3 bucket encryption setting is enabled.
- 2.Verify if the correct encryption option is chosen.
- 3.Check if any specific bucket policy or IAM policy is blocking encryption.
Necessary Code:
No specific code is provided for this rule. The encryption setting needs to be verified and potentially enabled for the S3 buckets.
Remediation Steps:
Follow these steps to remediate the issue if any non-compliant S3 buckets are found.
- 1.Login to the AWS Management Console.
- 2.Navigate to the S3 service.
- 3.Select the non-compliant bucket from the list.
- 4.Click on the "Properties" tab.
- 5.Scroll down to the "Default encryption" section.
- 6.Click on the "Edit" button.
- 7.Enable the "Default encryption" toggle switch.
- 8.Choose the encryption option that aligns with your security requirements. AWS provides options like S3-managed keys (SSE-S3), AWS Key Management Service (SSE-KMS), or a customer-provided key (SSE-C).
- SSE-S3: Uses S3-managed keys to encrypt the data.
- SSE-KMS: Uses AWS Key Management Service (KMS) to manage the encryption keys.
- SSE-C: Allows you to provide your own encryption keys for data encryption.
- 9.Click on "Save changes" to apply the encryption setting.
Note:
Ensure that the selected encryption option meets your compliance and security requirements. SSE-KMS offers additional features like key rotation, audit logs, and granular access control.
References: