Rule: S3 Bucket Default Encryption Should Be Enabled
This rule ensures that default encryption is enabled for S3 buckets.
| Rule | S3 bucket default encryption should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description
This rule ensures that default encryption is enabled for Amazon S3 buckets to comply with the security requirements specified in the National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 2. By enabling default encryption, all newly created objects in the S3 bucket will be encrypted using server-side encryption.
Troubleshooting Steps
If the default encryption is not enabled for an S3 bucket, follow these troubleshooting steps:
- 1.
Verify IAM permissions: Ensure that the IAM user or role executing the action has the necessary permissions to enable default encryption for S3 buckets. The user/role should have the
permission.s3:PutEncryptionConfiguration - 2.
Check bucket policies: Review the bucket policies and ensure that there are no explicit denials that prevent enabling default encryption. Remove any conflicting policies that might be blocking the action.
- 3.
Check bucket ownership: Confirm that you own the bucket or have the necessary permissions to modify its settings. If you don't have the required permissions, contact the bucket owner or an administrator to perform the necessary steps.
- 4.
Check bucket encryption settings: Verify if the S3 bucket already has default encryption enabled. If it does, investigate any issues related to the encryption configuration. Ensure that the specified encryption key is valid and accessible.
- 5.
Review AWS Config rules: If you are using AWS Config rules to check for compliance, verify the rule configuration and evaluate the required remediation steps provided by AWS Config.
Necessary Codes (IAM Policy)
To enable default encryption for S3 buckets, you need to attach the following IAM policy to the user or role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:PutEncryptionConfiguration", "Resource": "arn:aws:s3:::*" } ] }
Note: Replace
arn:aws:s3:::*Step-by-Step Guide for Remediation
- 1.
Open the AWS Management Console and navigate to the Amazon S3 service.
- 2.
In the S3 dashboard, locate the bucket that needs default encryption enabled. Click on the bucket name to access its details.
- 3.
In the bucket properties, select the "Encryption" tab.
- 4.
Under the "Default encryption" section, click on the "Edit" button.
- 5.
Choose the encryption option based on your requirements. You can select either the AWS Key Management Service (AWS KMS) or Amazon S3 managed key (SSE-S3).
- 6.
If you choose "AWS Key Management Service (AWS KMS)", select an existing KMS key or create a new one. Ensure that the KMS key has the necessary permissions to encrypt objects in the bucket.
- 7.
If you choose "Amazon S3 managed key (SSE-S3)", no additional configuration is required. Amazon S3 will handle the encryption using its built-in managed keys.
- 8.
Click on the "Save changes" button to enable default encryption for the bucket.
- 9.
Verify that the encryption settings have been applied by checking the bucket details. The default encryption should now be enabled, and all new objects created in the bucket will be automatically encrypted.
- 10.
Repeat this process for any other S3 buckets that require default encryption to be enabled.
By following these steps, you will successfully enable default encryption for the mentioned S3 bucket, ensuring compliance with NIST 800-171 Revision 2.