Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption with KMS

This rule ensures S3 buckets have default encryption enabled using KMS for enhanced security.

RuleS3 bucket default encryption should be enabled with KMS
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description:

S3 bucket default encryption with AWS Key Management Service (KMS) should be enabled to comply with the security control stated in NIST 800-53 Revision 5. This control mandates the use of encryption to protect sensitive data stored in S3 buckets against unauthorized access.

Troubleshooting Steps:

  2. 1.

    Verify NIST 800-53 compliance: Check if the S3 bucket default encryption is enabled with KMS. If not, follow the remediation steps below.

  4. 2.

    Permissions and roles: Ensure that the appropriate permissions and roles are assigned to allow the necessary operations for enabling default encryption.

  6. 3.

    Key Management Service settings: Ensure that the KMS service is properly configured, and the appropriate encryption key policies are in place.

Remediation:

Follow the steps below to enable default encryption with KMS for an S3 bucket:

  2. 1.

    Open the AWS Management Console and navigate to the S3 service.

  4. 2.

    Select the desired bucket for which you want to enable default encryption.

  6. 3.

    Click on the "Properties" tab, then select "Default encryption" from the left-hand menu.

  8. 4.

    Choose the option "AWS Key Management Service (AWS KMS)".

  10. 5.

    Select or create an appropriate KMS master key for encryption. Ensure that the KMS key has the necessary policies and grant permissions for encryption operations.

  12. 6.

    Click on "Save" to save the changes and enable default encryption with KMS for the selected S3 bucket.

CLI Commands:

If you prefer using the AWS Command Line Interface (CLI), follow these steps to enable default encryption with KMS for an S3 bucket:

  2. 1.

    Open the terminal or command prompt.

  4. 2.

    Run the following command to enable default encryption with KMS:

aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration '{ "Rules": [ {"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "KMS_key_ID"}}]}'

Replace 

bucket-name
with the name of your S3 bucket. Also, replace 
KMS_key_ID
with the ID or ARN of the appropriate KMS key.

  2. 1.
    Verify the encryption settings by running the following command:
aws s3api get-bucket-encryption --bucket bucket-name

Replace 

bucket-name
with the name of your S3 bucket.

Note:

Enabling default encryption with KMS for an S3 bucket helps ensure that all objects uploaded to the bucket are automatically encrypted using the specified KMS key. This security measure helps protect sensitive data from unauthorized access and aids compliance with NIST 800-53 Revision 5 control requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now