Rule: S3 Bucket Default Encryption Should Be Enabled with KMS
This rule ensures that S3 buckets have default encryption enabled with KMS for enhanced security measures.
| Rule | S3 bucket default encryption should be enabled with KMS |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Medium |
Rule Description:
The S3 bucket default encryption should be enabled with Key Management Service (KMS) for compliance with the RBI (Reserve Bank of India) Cyber Security Framework. This rule ensures that all objects stored in the S3 bucket will be encrypted using KMS, providing an additional layer of security and meeting the regulatory requirements set by RBI.
Troubleshooting Steps:
If the S3 bucket default encryption is not enabled with KMS, you can follow these troubleshooting steps:
- 1.
Verify the bucket encryption settings: Check the current encryption settings of the S3 bucket by navigating to the S3 console and selecting the specific bucket. Go to the "Properties" tab and ensure that the default encryption option is enabled with KMS.
- 2.
Check the KMS key configuration: Confirm that the appropriate KMS key is used for the default encryption. You can do this by going to the AWS Key Management Service console and checking the key used for encryption. Ensure that the desired KMS key is selected and accessible.
- 3.
Verify bucket policies or bucket ACLs: Make sure that there are no bucket policies or access control list (ACL) configurations preventing the default encryption with KMS. Review the existing policies or ACLs and modify them if needed to allow the use of KMS encryption.
- 4.
Check IAM permissions: Ensure that the IAM (Identity and Access Management) user or role associated with managing the S3 bucket has the necessary permissions to enable default encryption with KMS. The user or role should have the appropriate KMS actions (e.g., kms:Encrypt, kms:Decrypt) and S3 permissions (e.g., s3:PutEncryptionConfiguration) in their IAM policy.
Necessary Codes:
No specific codes are required for this rule.
Remediation Steps:
To enable default encryption with KMS for an S3 bucket, follow these steps:
- 1.
Open the AWS Management Console and navigate to the Amazon S3 service.
- 2.
Select the specific bucket that needs to have default encryption enabled.
- 3.
Go to the "Properties" tab and click on "Default encryption".
- 4.
Choose the "AWS Key Management Service (AWS KMS)" option.
- 5.
Select the appropriate KMS key from the dropdown menu. If the desired key is not listed, ensure that the key is created and accessible in the AWS Key Management Service (KMS) console.
- 6.
Click on "Save" to enable default encryption with KMS for the bucket.
- 7.
Verify that the default encryption with KMS is successfully enabled by checking the bucket properties and confirming that the encryption option shows "AWS KMS".
Note: Enabling default encryption with KMS for an S3 bucket will affect all newly uploaded objects to the bucket. Existing objects will not be automatically encrypted, and you may need to perform the necessary actions to encrypt them manually.
Additional Recommendations:
- 1.
Regularly review and monitor your S3 bucket encryption settings to ensure compliance with RBI regulations and best security practices.
- 2.
Enable Amazon S3 bucket logging and analyze the logs to detect any unauthorized access or data breaches related to the bucket.
- 3.
Implement versioning for your S3 buckets to protect against accidental deletions or modifications of encrypted objects.