Description:

Server-side encryption is the encryption of data at its destination by the application or service that receives it. AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects. AWS KMS encrypts only the object data. Any object metadata is not encrypted. You can use these CMKs to protect your data in Amazon S3 buckets. When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket. There are additional charges for using AWS KMS CMKs.


Rationale:

The encryption context is not secret. It appears in plaintext in AWS Cloud trail logs so you can use it to identify and categorize your cryptographic operations.

An encryption context can consist of any keys and values. However, because it is not secret and not encrypted, your encryption context should not include sensitive information. We recommend that your encryption context describe the data being encrypted or decrypted. For example, when you encrypt a file, you might use part of the file path as encryption context.


Impact:

By enabling default encryption all new objects are encrypted when they are stored in the bucket. It encrypts an object before saving it to disk and decrypts it when you download the objects.


Default Value: 

By default, Default encryption is disabled in S3 buckets.


Pre-Requisite: 

  • Sign in as admin or IAM user with required permissions

  • Before implementation steps, you make sure that in KMS encryption key must be there.


Test Plan:

  • Log in to the AWS Management Console.

  • Go to S3 console at https://s3.console.aws.amazon.com/s3.

  • In the S3 choose your buckets to examine.

  • Go to the Properties tab.

  • Scroll down and go to Default Encryption  where it may be enabled or disable.


Via CLI:


Command to list all existing S3 buckets available in your AWS account:

aws s3api list-buckets
--query 'Buckets[*].Name'

 

To retrieve the server-side encryption configuration for a bucket:

aws s3api get-bucket-encryption \
    --bucket <bucket name>


Remediation:



Implementation Steps: 

  • Log in to the AWS Management Console.

  • Go to S3 console at https://s3.console.aws.amazon.com/s3

  • Select S3 buckets to enable the Default encryption.

  • Go to the Properties tab.

  • Scroll down and go to Default Encryption and click on the Edit button.

  • Click on Enable radio button under server-side encryption and select encryption key type AWS Key Management Service key (SSE-KMS).

  • Select AWS KMS key.

  • Click on the Save changes button.


Via CLI

Enable Default encryption with SSE-KMS using an S3 Bucket Key

aws s3api put-bucket-encryption --bucket <bucket-name> \
--server-side-encryption-configuration \
'{
    "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms",
                    "KMSMasterKeyID": "KMS-Key-ARN"
                },
                "BucketKeyEnabled": true
            }
        ]
    }'


Backout Plan:

  • Log in to the AWS Management Console

  • Go to the S3 console at https://s3.console.aws.amazon.com/s3

  • Select S3 buckets to disable the Default encryption.

  • Go to the Properties tab.

  • Scroll down and go to Default Encryption  and click on the Edit button.

  • Click on Disable radio button under server-side encryption and click on the Save button.


Via CLI:

To delete the server-side encryption configuration of a bucket