Rule: S3 Bucket Default Encryption should be Enabled with KMS
This rule ensures that S3 buckets have default encryption enabled with KMS for enhanced security.
| Rule | S3 bucket default encryption should be enabled with KMS |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that the default encryption setting is enabled for Amazon S3 buckets using Key Management Service (KMS) for Federal Financial Institutions Examination Council (FFIEC) compliance. Enabling default encryption ensures that all objects stored in the S3 bucket are encrypted using KMS, providing an additional layer of security for sensitive data.
Troubleshooting Steps (if any):
If the default encryption is not enabled with KMS for the S3 bucket, follow the below steps to troubleshoot the issue:
- 1.Ensure that you have the necessary permissions to enable default encryption for the S3 bucket.
- 2.Check if the KMS key used for encryption is available and accessible by the AWS account associated with the bucket.
- 3.Verify if the bucket policy or any IAM policies are preventing the default encryption configuration from being applied.
Necessary Codes (if any):
No specific code snippets are needed for this rule.
Step-by-Step Guide for Remediation:
Follow the below steps to enable default encryption with KMS for the S3 bucket:
- 1.
Open the Amazon S3 Management Console: https://s3.console.aws.amazon.com/s3/home
- 2.
Select the target S3 bucket for which you want to enable default encryption.
- 3.
Click on the "Properties" tab located at the top-right corner.
- 4.
Scroll down to the "Default encryption" section and click on "Edit."
- 5.
In the "Default encryption" dialog box, select the "AWS Key Management Service (AWS KMS)" radio button.
- 6.
Choose the appropriate KMS key from the dropdown menu. Ensure that the selected KMS key is compliant with the FFIEC requirements.
- 7.
Click on the "Save" button to save the changes.
- 8.
AWS S3 will now automatically encrypt all objects stored in the bucket using the selected KMS key.
- 9.
Verify the default encryption status by checking the "Properties" tab for the bucket and ensuring that the "Default encryption" section reflects the changes made.
Note: Enabling default encryption may incur additional AWS KMS charges for using the KMS key. Please review the AWS KMS pricing for further details.
By following these steps, you have successfully enabled default encryption with KMS for the S3 bucket, ensuring compliance with FFIEC regulations.