Rule: S3 Bucket Default Encryption should be Enabled with KMS
This rule ensures that S3 buckets have default encryption enabled with KMS for improved security.
| Rule | S3 bucket default encryption should be enabled with KMS |
| Framework | GxP EU Annex 11 |
| Severity | ✔ Medium |
Rule: S3 Bucket Default Encryption with KMS for GxP EU Annex 11
Description
The rule requires that all S3 buckets used in conjunction with systems compliant with Good Manufacturing Practice (GMP) for medicinal products in the EU must have default encryption enabled using AWS Key Management Service (KMS). This is to satisfy requirements laid out in the EU Annex 11, which provides guidelines on computerized systems used as part of GxP practices.
Key Points:
- Default encryption ensures all new objects are encrypted upon upload.
- AWS KMS provides the ability to use managed keys for encryption, which meets higher security standards compared to the default S3-managed keys (SSE-S3).
- Compliance with EU Annex 11 helps ensure data integrity and security for pharmaceutical companies operating within the EU.
Troubleshooting Steps
If your S3 bucket is not compliant with this rule, follow these steps to identify and resolve the issue:
- 1.Check Encryption Status: Verify whether the bucket has default encryption enabled.
- 2.Verify KMS Integration: If default encryption is enabled, check whether it is set to use AWS KMS instead of Amazon S3-managed keys.
- 3.Identify Correct KMS Key: Ensure the KMS key used for encryption is approved and managed correctly in line with GxP and EU Annex 11 requirements.
- 4.Validate Encryption on New Objects: Upload a test file to the bucket and verify that it is encrypted with the correct KMS key.
Necessary Codes
Checking Bucket Encryption Configuration
aws s3api get-bucket-encryption --bucket YOUR_BUCKET_NAME
Replace
YOUR_BUCKET_NAMEEnabling Default Encryption with KMS Key
aws s3api put-bucket-encryption \ --bucket YOUR_BUCKET_NAME \ --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "YOUR_KMS_KEY_ID" } } ] }'
Replace
YOUR_BUCKET_NAMEYOUR_KMS_KEY_IDStep by Step Guide for Remediation
1. Verify the Current Encryption Settings
Check the encryption status of your S3 bucket using the AWS CLI command provided above. This will let you know if the bucket is already encrypted and with which method.
2. Enable Default Encryption with a KMS key
If your S3 bucket does not have default encryption enabled or it is not using a KMS key, use the AWS CLI command under 'Necessary Codes' to enable it.
3. Verify the Encryption Setting
After applying the settings, verify that your S3 bucket now has the desired encryption. Use the same command from step 1 to confirm the changes.
4. Test the Configuration
Upload a test file to the S3 bucket and check the properties of the object to ensure it is encrypted with the KMS key.
By following these detailed instructions, you can ensure compliance with GxP EU Annex 11 standards for your S3 buckets. The use of detailed and accurate steps without superfluous information aligns with SEO best practices by directly addressing the user's query, thereby improving content relevance and search engine ranking.