Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption Should Be Enabled

This rule ensures that default encryption is enabled for S3 buckets to protect data at rest. Compliance count: 61

RuleS3 bucket default encryption should be enabled
FrameworkCISA-cyber-essentials
Severity
Low

Rule Description

The rule requires that the default encryption setting is enabled for S3 buckets in compliance with CISA Cyber Essentials guidelines. This ensures that all objects within the S3 buckets are automatically encrypted at rest.

Troubleshooting Steps

If the default encryption is not enabled for an S3 bucket, follow these steps to troubleshoot:

  2. 1.
    Verify IAM permissions: Ensure that the user or role accessing the S3 bucket has the necessary permissions to enable default encryption.
  4. 2.
    Check bucket policies: Review the bucket policy to ensure that there are no explicit Deny statements preventing default encryption.
  6. 3.
    Confirm encryption settings: Verify the existing encryption configuration settings for the S3 bucket.
  8. 4.
    Check for dependencies: If the bucket has objects with server-side encryption enabled, it might affect enabling default encryption. Review any dependencies and resolve them.

Necessary Codes (if any)

No specific codes are required for this rule. Configuration changes will be made through the AWS Management Console or the AWS Command Line Interface (CLI) commands.

Remediation Steps

To enable default encryption for an S3 bucket, follow these steps:

  2. 1.
    Open the AWS Management Console and navigate to the S3 service.
  4. 2.
    Click on the bucket name where you want to enable default encryption.
  6. 3.
    Click on the "Properties" tab.
  8. 4.
    Under the "Default encryption" section, click on "Edit".
  10. 5.
    Select the desired encryption mode - "AES-256" or "AWS Key Management Service (KMS)".
  12. 6.
    If using AWS KMS, choose the desired KMS key to use for encryption.
  14. 7.
    Click "Save" to apply the changes.

Verification Steps

To confirm that default encryption is enabled for an S3 bucket, follow these steps:

  2. 1.
    Open the AWS Management Console and navigate to the S3 service.
  4. 2.
    Click on the bucket name where default encryption was enabled.
  6. 3.
    Click on the "Properties" tab.
  8. 4.
    Under the "Default encryption" section, check if the encryption mode and associated key (if using KMS) are displayed.

If default encryption is correctly enabled, all objects uploaded to the bucket will be automatically encrypted at rest.

Is your System Free of Underlying Vulnerabilities?
Find Out Now