/
AWS-S3-S3-Bucket-Encryption

AWS-S3-S3-Bucket-Encryption

Severity: High

Description: This control ensures that "ServerSideEncryptionConfiguration" exists for a bucket. Configuring SSE for a bucket ensures that data stored in S3 bucket is encrypted at rest.

Remediation Steps:

Perform following to update S3 bucket encryption :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to s3 console.

  3. In the navigation pane,  select buckets.

  4. Click on the bucket to be modified, click Properties.

  5. Choose Default encryption.

  6. Choose AES-256 or AWS-KMS.

  7. Choose Save.

Important:

  • Enabling default encryption may require an update in bucket policy. If AWS KMS option is used for default encryption configuration, it is subjected to the RPS limits of AWS KMS.

  • Setting Default Encryption (SSE) for an existing bucket does not encrypt existing objects in the bucket.

Reference:

Related content

AWS-S3-S3-Bucket-Encryption-Enforcement
AWS-S3-S3-Bucket-Encryption-Enforcement
Read with this
AWS-S3-S3-Bucket-Enforce-Object-Encryption
AWS-S3-S3-Bucket-Enforce-Object-Encryption
Read with this
AWS-S3-S3-Bucket-Public-Access-Block
AWS-S3-S3-Bucket-Public-Access-Block
Read with this
AWS-S3-S3-Bucket-Website-Enabled
AWS-S3-S3-Bucket-Website-Enabled
Read with this
AWS-S3-S3-Bucket-Versioning
AWS-S3-S3-Bucket-Versioning
Read with this
AWS-S3-Public
Read with this

Blue Hexagon Proprietary