Page Comparison

Severity : High

Description: This control ensures that default bucket encryption configuration exists for a bucket. Configuring default encryption for a bucket ensures that data stored in S3 bucket is encrypted at rest. Without default encryption, to encrypt all objects stored in a bucket, you must include encryption information with every object storage request. You must also set up an Amazon S3

...

bucket policy to reject storage requests that don't include encryption information thus reducing data exposure for unauthorized access.

Remediation Steps:

Perform following to update S3 bucket encryption :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to s3 console.

3. In the navigation pane,  select buckets.

4. Click on the bucket to be modified, click Properties.

5. Choose Edit under Default encryption.

6. Choose Enable.

7. Under Encryption key type,

   1. Choose Amazon S3 key for Amazon S3-managed key.

   2. Choose AWS Key Management Service key (SSE-KMS), for using using an AWS KMS key.

8. Choose Enable, under Bucket Key to use S3 bucket Key. This reduces S3 bucket traffic to KMS and lower cost.

9. Choose Save changes.

Important:

• Enabling default encryption may require an update in bucket policy. If AWS KMS option is used for default encryption configuration, it is subjected to the RPS limits of AWS KMS.

• Setting Default Encryption (SSE) for an existing bucket does not encrypt existing objects in the bucket.

Reference:

• https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html