Rule: S3 Bucket Default Encryption Enabled with KMS

This rule ensures that S3 bucket default encryption is enabled with KMS for enhanced security measures.

Rule	S3 bucket default encryption should be enabled with KMS
Framework	NIST 800-53 Revision 5
Severity	✔ Medium

Rule Description:

The S3 bucket default encryption should be enabled with the Key Management Service (KMS) for compliance with the NIST 800-53 Revision 5 security standard. This rule ensures that all objects stored in the S3 bucket are automatically encrypted using the KMS keys, providing an added layer of protection for sensitive data.

Remediation Steps:

1. Ensure KMS key exists:

a. Check if a suitable KMS key exists. If not, create a new one using the AWS Management Console or AWS CLI.

2. Enable default encryption on the S3 bucket:

a. Open the Amazon S3 console.
b. Select the desired S3 bucket.
c. Go to the Properties tab and click on the Default encryption option.
d. Choose the KMS option as the default encryption type.
e. Select the appropriate KMS key from the dropdown menu.
f. Click Save to apply the changes.

Troubleshooting Steps (if default encryption is not enabled):

1.
Check if the KMS key is properly configured:
- Verify that the KMS key being used for encryption is active and has the necessary permissions.
- Ensure that the KMS key policy allows the S3 bucket to use it for encryption.

2.
Verify bucket policies:
- Check if there are any bucket policies restricting access to enabling default encryption using KMS.
- Adjust the bucket policies as necessary to permit enabling default encryption with KMS.

3.
Verify IAM permissions:
- Make sure the IAM user or role has the necessary permissions to enable default encryption with KMS.
- Check the IAM policies associated with the user or role and adjust them if needed.

4.
Ensure AWS CLI is up to date:
- If using the AWS CLI, make sure it is up to date. Run the following command to update:
  aws --version aws configure set aws_access_key_id YOUR_ACCESS_KEY aws configure set aws_secret_access_key YOUR_SECRET_ACCESS_KEY aws configure set region YOUR_REGION

5.
Enable default encryption using AWS CLI:
- Run the following command to enable default encryption with KMS on the S3 bucket:
  aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<kms-key-id>"}}}]}'

Additional Notes:

Enabling default encryption with KMS ensures that new objects uploaded to the S3 bucket are automatically encrypted with the specified KMS key.
Existing objects in the bucket will not be automatically encrypted but you can manually encrypt them using the AWS Management Console or AWS CLI.
It is important to regularly review and audit bucket policies, IAM permissions, and KMS key policies to maintain the effectiveness of the default encryption with KMS.

Rule: S3 Bucket Default Encryption Enabled with KMS

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Ensure KMS key exists:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Enable default encryption on the S3 bucket:

Is your System Free of Underlying Vulnerabilities? Find Out Now

1. Ensure KMS key exists:

2. Enable default encryption on the S3 bucket:

Is your System Free of Underlying Vulnerabilities?
Find Out Now