Rule: S3 Bucket Default Encryption Should Be Enabled
This rule ensures that default encryption is enabled for S3 buckets to maintain data security.
| Rule | S3 bucket default encryption should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that the default encryption is enabled for Amazon S3 buckets, as required by the NIST 800-171 Revision 2 compliance framework. Default encryption ensures that all objects stored in the S3 bucket are automatically encrypted at rest, providing an extra layer of security to protect sensitive data.
By enabling default encryption, you can ensure that newly uploaded objects are encrypted using encryption keys managed by AWS Key Management Service (AWS KMS) or an AWS managed key. This helps in safeguarding data in case of unauthorized access or data breaches.
Troubleshooting Steps:
If the default encryption is not enabled for an S3 bucket, you can follow these troubleshooting steps:
- 1.
Verify NIST 800-171 Revision 2 compliance requirements: Ensure that the NIST 800-171 Revision 2 compliance framework is applicable to your organization or specific S3 bucket.
- 2.
Check the default encryption status: Validate if the default encryption is currently enabled for the S3 bucket in question.
- 3.
Review bucket policies and permissions: Ensure that you have the necessary permissions to enable default encryption for the S3 bucket.
- 4.
Verify AWS KMS key permissions: Confirm that the AWS KMS key used for encryption has the correct permissions and is accessible by the S3 bucket.
- 5.
Ensure AWS KMS key is available: Verify if the AWS KMS key required for encryption exists and is available in the region where the S3 bucket resides.
Remediation:
To enable default encryption for an S3 bucket to comply with NIST 800-171 Revision 2, follow the step-by-step guide below:
- 1.
Navigate to the Amazon S3 Management Console: Open the Amazon S3 Management Console using the AWS account credentials with the necessary permissions.
- 2.
Select the target S3 bucket: Locate and select the desired S3 bucket for default encryption configuration.
- 3.
Click on "Properties" tab: Once the desired bucket is selected, click on the "Properties" tab in the upper-right corner of the console.
- 4.
Open default encryption configuration: Scroll down to the "Default encryption" section and click on the "Edit" button.
- 5.
Choose an encryption setting: In the default encryption configuration window, select the appropriate encryption setting based on your requirements. You can choose either "AWS Key Management Service (KMS)" or "AES-256" encryption.
- 6.
AWS KMS encryption (recommended): If you choose AWS Key Management Service (KMS), select the KMS key that will be used for encryption. Ensure that the chosen key allows permissions for the S3 bucket.
- 7.
AES-256 encryption: If you choose AES-256 encryption, AWS will handle the encryption keys automatically with the provided server-side encryption keys.
- 8.
Save the encryption configuration: After selecting the desired encryption setting, click on the "Save" button to enable default encryption for the S3 bucket.
- 9.
Verify default encryption status: Validate if the default encryption is now enabled for the S3 bucket. The bucket properties should reflect the selected encryption setting.
Verification:
To verify that default encryption is enabled for an S3 bucket:
- 1.
Navigate to the Amazon S3 Management Console: Open the Amazon S3 Management Console using the AWS account credentials with the necessary permissions.
- 2.
Select the target S3 bucket: Locate and select the previously configured S3 bucket for default encryption.
- 3.
Confirm default encryption configuration: Under the "Properties" tab, check the "Default encryption" section. It should display the encryption setting chosen during the remediation steps.
- 4.
Validate encryption for new objects: Upload a new object to the S3 bucket and verify that the object is automatically encrypted at rest.
If the default encryption remains enabled and all new objects are encrypted, you have successfully ensured compliance with the NIST 800-171 Revision 2 requirement for default encryption in the S3 bucket.