Rule: S3 Bucket Default Encryption Should Be Enabled with KMS
This rule ensures that default encryption with KMS is enabled for S3 buckets.
| Rule | S3 bucket default encryption should be enabled with KMS |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
S3 Bucket Default Encryption with KMS for NIST 800-53 Revision 5
Description
Enabling default encryption for Amazon S3 buckets with AWS Key Management Service (KMS) is a crucial security measure to protect sensitive data stored in the buckets. This rule ensures that all newly created S3 buckets have encryption enabled using KMS customer master keys (CMKs) as per the NIST 800-53 Revision 5 security controls.
Troubleshooting Steps
If encryption is not enabled or misconfigured, you may encounter the following issues:
- 1.Data Breach Risk: Sensitive data stored in the S3 buckets may be accessed by unauthorized individuals.
- 2.Compliance Violation: Failure to meet the security controls outlined in NIST 800-53 Revision 5.
Necessary Codes
To enable default encryption with KMS for S3 buckets, the following code should be used when creating new buckets:
aws s3api create-bucket --bucket <bucket-name> --create-bucket-configuration LocationConstraint=<aws-region> --encryption BucketKeyEnabled=true,DefaultMasterKeyID=<kms-key-id>
Make sure to replace
<bucket-name><aws-region><kms-key-id>Remediation Steps
Follow the steps below to remediate and enable default S3 bucket encryption using KMS:
- 1.Log in to the AWS Management Console.
- 2.Go to the Amazon S3 service.
- 3.Click on "Create bucket" to create a new bucket or select an existing bucket to modify.
- 4.In the "Name and region" section, provide a unique bucket name and select the appropriate region.
- 5.Click on "Next" until you reach the "Set permissions" section.
- 6.In the "Set permissions" section, scroll down to find the "Default encryption" option.
- 7.Select "AWS Key Management Service (AWS KMS)" as the encryption type.
- 8.Choose the desired KMS customer master key (CMK) from the dropdown list.
- 9.Continue with the remaining steps to configure other bucket settings as required.
- 10.Finally, review the configuration and click on "Create bucket" or "Save changes" to enable default encryption for the bucket.
Verification
To ensure that default encryption with KMS is enabled for an S3 bucket, perform the following steps:
- 1.Log in to the AWS Management Console.
- 2.Go to the Amazon S3 service.
- 3.Select the bucket for verification.
- 4.Click on the "Properties" tab.
- 5.In the "Default encryption" section, verify that the encryption type is set to "AWS Key Management Service (AWS KMS)".
- 6.Check that the selected key matches the desired KMS customer master key (CMK) ID.
- 7.Additionally, you can validate encryption by uploading a test object to the bucket and confirming that it is encrypted using KMS.
By following these steps, you will successfully enable default encryption with KMS for S3 buckets, meeting the NIST 800-53 Revision 5 security control requirements.