Rule: S3 Bucket Default Encryption Should Be Enabled
This rule ensures that default encryption is enabled for S3 buckets to secure data at rest.
| Rule | S3 bucket default encryption should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Low |
Rule Description:
The rule requires enabling default encryption for an S3 bucket to comply with the GxP (Good Practices) regulations specified in 21 CFR Part 11. This ensures that all objects stored in the bucket are automatically encrypted at rest, providing an added layer of security and meeting the regulatory requirements.
Troubleshooting Steps:
If default encryption is not enabled for an S3 bucket, follow the steps below to troubleshoot the issue:
- 1.
Confirm access permissions: Ensure that you have the necessary permissions to modify the S3 bucket's default encryption settings. You need the appropriate IAM (Identity and Access Management) permissions to make changes to the bucket.
- 2.
Check bucket settings: Verify the bucket settings and ensure the default encryption configuration is not already enabled. It is possible that default encryption may have been previously enabled, and you need to troubleshoot a different issue.
- 3.
Review AWS KMS Key Policies: Ensure that the Key Management Service (KMS) key used for encryption has the appropriate permissions and key policies assigned. If the key policies are misconfigured, it can prevent default encryption from being enabled.
- 4.
Verify AWS KMS key availability: Check if the AWS KMS key used for default encryption is available in the same AWS region as the S3 bucket. If the key is not available in the correct region, default encryption cannot be enabled.
- 5.
Check AWS CloudTrail logs: Review AWS CloudTrail logs to identify any errors or events related to default encryption. This can provide insights into any issues that may be preventing default encryption from being enabled.
- 6.
Seek AWS Support: If the issue persists and cannot be resolved through troubleshooting, consider contacting AWS Support for further assistance. They can help diagnose and resolve any underlying issues preventing the enablement of default encryption.
Necessary Codes:
No specific codes are required for this rule. However, you may need AWS CLI commands to verify and enable default encryption. Refer to the steps below for the relevant commands.
Step-by-step Guide for Remediation:
Follow these steps to enable default encryption for an S3 bucket:
- 1.
Open the AWS Management Console and navigate to the Amazon S3 service.
- 2.
Select the specific S3 bucket for which you want to enable default encryption.
- 3.
Click on the "Properties" tab in the top menu.
- 4.
Scroll down to the "Default encryption" section.
- 5.
Click on the "Edit" button next to "Default encryption".
- 6.
Choose the encryption option you want to use for the default encryption, such as SSE-S3, SSE-KMS, or SSE-C.
- 7.
Select the appropriate AWS KMS key or SSE-S3/SSE-C options to enable default encryption. If using SSE-KMS, ensure the selected key has the necessary permissions and is available in the correct region.
- 8.
Click on the "Save changes" button to apply the default encryption settings to the S3 bucket.
- 9.
Validate that the default encryption configuration is successfully applied by viewing the bucket properties and confirming the encryption settings.
Once the default encryption is enabled, all new objects stored in the bucket will be automatically encrypted at rest using the specified encryption method.
Note: Remember to review and adhere to any regulatory requirements specific to GxP 21 CFR Part 11 during the setup and configuration of default encryption for S3 buckets.
Please ensure you understand the impact and potential limitations of enabling default encryption within your environment before implementing this configuration.