AWS-S3-S3-Bucket-Encryption

Severity: High

Description: This control ensures that "ServerSideEncryptionConfiguration" exists for a bucket. Configuring SSE for a bucket ensures that data stored in S3 bucket is encrypted at rest.

Remediation Steps:

Perform following to update S3 bucket encryption :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to s3 console.

3. In the navigation pane,  select buckets.

4. Click on the bucket to be modified, click Properties.

5. Choose Default encryption.

6. Choose AES-256 or AWS-KMS.

7. Choose Save.

Important:

• Enabling default encryption may require an update in bucket policy. If AWS KMS option is used for default encryption configuration, it is subjected to the RPS limits of AWS KMS.

• Setting Default Encryption (SSE) for an existing bucket does not encrypt existing objects in the bucket.

Reference:

• https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html