Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption Should Be Enabled with KMS

This rule ensures that S3 bucket default encryption is enabled with KMS for better security measures.

RuleS3 bucket default encryption should be enabled with KMS
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description

The rule requires that default encryption is enabled for Amazon S3 buckets using AWS Key Management Service (KMS) with NIST 800-53 Revision 5 compliance.

Troubleshooting Steps

If default encryption with KMS is not enabled for S3 buckets, follow these troubleshooting steps:

  1. 1.
    Check bucket encryption settings: Verify if default encryption is enabled for the S3 bucket.
  2. 2.
    Check encryption configuration: Ensure that the encryption configuration is set to use AWS Key Management Service (KMS).
  3. 3.
    Verify KMS key usage policy: Validate that the KMS key associated with the bucket has the necessary key usage policy to meet NIST 800-53 Revision 5 compliance.
  4. 4.
    Check KMS key configuration: Ensure that the KMS key is properly configured and is not expired or disabled.
  5. 5.
    Verify IAM roles and policies: Ensure that the IAM roles and policies associated with the bucket have the necessary permissions to access and use the KMS key.

Necessary Codes

No additional codes are required for this configuration. However, here are the necessary AWS CLI commands for verification and remediation:

  • To check the encryption settings of an S3 bucket:
aws s3api get-bucket-encryption --bucket <bucket_name>
  • To enable default encryption using KMS for an S3 bucket:
aws s3api put-bucket-encryption --bucket <bucket_name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID":"<kms_key_id>"}}]}'

Note: Replace

<bucket_name>
with your actual S3 bucket name and
<kms_key_id>
with the ID of the KMS key you want to use for encryption.

Step-by-Step Guide for Remediation

Follow these steps to enable default encryption with KMS for an S3 bucket:

  1. 1.

    Verify current encryption settings:

    • Run the following AWS CLI command to check if default encryption is already enabled for the bucket:
    aws s3api get-bucket-encryption --bucket <bucket_name>
    
    • If default encryption is already enabled and configured with KMS, proceed to the next step. Otherwise, continue with the next steps for remediation.
  2. 2.

    Create or identify a KMS key:

    • If you don't have a KMS key, create one using the AWS Management Console or AWS CLI. Make sure the KMS key has the desired configuration and meets the NIST 800-53 Revision 5 compliance requirements.
    • Note down the KMS key ID for later use.
  3. 3.

    Enable default encryption with KMS:

    • Run the following AWS CLI command to enable default encryption using KMS for the S3 bucket:
    aws s3api put-bucket-encryption --bucket <bucket_name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID":"<kms_key_id>"}}]}'
    
    • Replace
      <bucket_name>
      with the name of the S3 bucket you want to enable default encryption for.
    • Replace
      <kms_key_id>
      with the ID of the KMS key you want to use for encryption.
  4. 4.

    Verify the encryption configuration:

    • Run the following AWS CLI command to verify the encryption configuration of the S3 bucket:
    aws s3api get-bucket-encryption --bucket <bucket_name>
    
    • Ensure that the response shows the desired encryption configuration with the specified KMS key.

Once you have completed these steps, default encryption with KMS will be enabled for the specified S3 bucket, meeting the NIST 800-53 Revision 5 compliance requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now