Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption Should Be Enabled

This rule ensures that S3 buckets have default encryption enabled for better security.

RuleS3 bucket default encryption should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description:

This rule enforces that default encryption is enabled for all Amazon S3 buckets in compliance with the NIST 800-53 Revision 5 security standard. Default encryption ensures that objects stored in the S3 buckets are automatically encrypted using server-side encryption with S3 managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) when no other encryption options are specified.

Troubleshooting Steps (if default encryption is not enabled):

If default encryption is not enabled for an S3 bucket, follow these troubleshooting steps:

  2. 1.

    Identify the Bucket: Identify the S3 bucket(s) that do not have default encryption enabled.

  4. 2.

    Verify Encryption Settings: Check the encryption settings for the identified bucket(s) to determine if default encryption is enabled or if any other encryption options are applied.

  6. 3.

    Enable Default Encryption: If default encryption is not enabled, proceed to enable it.

Necessary Code:

If you need to enable default encryption for an S3 bucket using AWS CLI, execute the following command:

aws s3api put-bucket-encryption --bucket your-bucket-name --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}'

Replace 

your-bucket-name
with the actual name of your S3 bucket.

Remediation Steps:

To enable default encryption for an S3 bucket, perform the following steps:

  2. 1.

    Open the AWS Management Console and navigate to the S3 service.

  4. 2.

    Select the S3 bucket for which you want to enable default encryption.

  6. 3.

    Click on the "Properties" tab.

  8. 4.

    Scroll down to the "Default encryption" section.

  10. 5.

    Click on the "Edit" button.

  12. 6.

    Choose either "AES-256" or "AWS Key Management Service (SSE-KMS)" as the default encryption option.

  14. 7.

    Click on the "Save changes" button to enable default encryption.

Additional Notes:

  • Enabling default encryption ensures that all existing and newly uploaded objects to the S3 bucket are automatically encrypted.
  • It is important to choose the appropriate default encryption option based on your security requirements and compliance standards.
  • Default encryption does not affect objects that are already encrypted using other encryption methods.
  • Regularly audit your S3 buckets to verify default encryption settings and ensure compliance with the NIST 800-53 Revision 5 standard.

Is your System Free of Underlying Vulnerabilities?
Find Out Now