Rule: S3 Bucket Default Encryption Should Be Enabled
This rule ensures that default encryption is enabled for S3 buckets for enhanced security.
| Rule | S3 bucket default encryption should be enabled |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Low |
Rule Description:
The RBI (Reserve Bank of India) Cyber Security Framework requires that all S3 buckets in the organization should have default encryption enabled. This ensures that data stored in S3 buckets is automatically encrypted at rest, providing an additional layer of security to protect sensitive information.
Troubleshooting Steps:
- If default encryption is not enabled for an S3 bucket, sensitive data may be stored without encryption, which can result in a violation of regulatory requirements and potential data breaches. To troubleshoot this, follow the steps below:
- 1.Check if default encryption is enabled for the S3 bucket by reviewing its configuration.
- 2.If default encryption is not enabled, proceed with the remediation steps below.
Remediation Steps:
To enable default encryption for an S3 bucket, follow these step-by-step instructions:
Step 1: Access the AWS Management Console
- 1.Open a web browser and navigate to the AWS Management Console login page.
- 2.Enter your credentials to log in.
Step 2: Navigate to the S3 Service
- 1.Once logged in, search for "S3" in the AWS Management Console search bar.
- 2.Click on the "S3" service from the search results to open the S3 dashboard.
Step 3: Select the Desired Bucket
- 1.From the list of available S3 buckets, select the bucket for which you want to enable default encryption.
- 2.Click on the bucket name to access its configuration options.
Step 4: Enable Default Encryption
- 1.In the bucket details page, click on the "Properties" tab.
- 2.Under the "Default encryption" section, click on the "Edit" button.
Step 5: Enable SSE-S3 Encryption
- 1.In the "Default encryption" configuration window, select "AES-256" or "AWS-KMS" as the default encryption algorithm.
- "AES-256" uses Amazon S3 managed keys for encryption.
- "AWS-KMS" allows you to use your own AWS Key Management Service (KMS) keys for encryption.
- 2.Choose the desired encryption option based on your organization's requirements and compliance needs.
- 3.Click on the "Save" button to enable default encryption for the selected S3 bucket.
Step 6: Verify Default Encryption
- 1.After saving the changes, go back to the bucket details page.
- 2.Under the "Default encryption" section, verify that the encryption status is now enabled.
CLI Commands (If applicable):
If you prefer to use the AWS Command Line Interface (CLI) to enable default encryption for an S3 bucket, you can use the following command:
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
Replace
<bucket-name>Note:
Enabling default encryption for an S3 bucket ensures that all objects stored in the bucket are encrypted at rest. However, it's important to also secure access to the bucket and implement appropriate access controls to protect the sensitive data stored within it.
Remember to follow best practices for securing S3 buckets, including proper access control, regular monitoring, and auditing to maintain compliance with the RBI Cyber Security Framework requirements.