Description:
Data encryption is the process of converting raw data into a coded form to help ensure that only authorized parties can read it. Encryption often uses a “key” (usually a large number) stored separately from the data to ensure that only the key holder can read it. Data encryption is often required by regulations as well as internal security standards. AWS has several offerings in the data encryption space.
Within Amazon S3, Server Side Encryption (SSE) is the simplest data encryption option available. SSE encryption manages the heavy lifting of encryption on the AWS side, SSE-S3 is the simplest method to use as encryption keys are handled and managed by AWS. SSE-S3 is based on the AES-256 encryption algorithm, asymmetric cipher. You cannot access this key or use it manually for any other encryption processing. The key is itself encrypted with a master key that is regularly rotated.
Rationale:
The encryption context is not secret. It appears in plaintext in AWS Cloud trail logs so you can use it to identify and categorize your cryptographic operations. An encryption context can consist of any keys and values. However, because it is not secret and not encrypted, your encryption context should not include sensitive information. We recommend that your encryption context describe the data being encrypted or decrypted. For example, when you encrypt a file, you might use part of the file path as encryption context.
Impact:
Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets.
Default Value:
By default, Default encryption is disabled in S3 buckets.
Pre-Requisite:
Sign in as an admin or IAM user with the required permissions
Remediation:
Test Plan:
Log in to the AWS Management Console
Go to the S3 console at https://s3.console.aws.amazon.com/s3
In the S3 choose your buckets to examine
Go to the properties tab
Scroll down and go to Default Encryption where it may be enabled or disabled.
Using AWS CLI:
To retrieve the server-side encryption configuration for a bucket
aws s3api get-bucket-encryption --bucket <bucket name>
Implementation:
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the Buckets list, choose the name of the bucket that you want.
Choose Properties.
Under Default encryption, choose Edit.
To enable server-side encryption, choose Enable.
To enable server-side encryption using an Amazon S3-managed key, under Encryption key type, choose
Choose Save changes.
Using AWS CLI:
This example configures default bucket encryption with Amazon S3-managed encryption.
aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] }'
Backout Plan:
Log in to the AWS Management Console
Go to the S3 console at https://s3.console.aws.amazon.com/s3
Select S3 buckets to disable the Default encryption.
Go to the properties tab
Scroll down and go to Default Encryption and click on the Edit button
Click on disable radio button under server-side encryption and click on the Save button.
Using AWS CLI:
To delete the server-side encryption configuration of a bucket
aws s3api delete-bucket-encryption \ --bucket <bucket name>
Reference:
Enabling Amazon S3 default bucket encryption - Amazon Simple Storage Service
Securing backup data in Amazon S3 and Amazon Simple Storage Service - AWS Prescriptive Guidance