Description:

Data encryption is the process of converting raw data into a coded form to help ensure that only authorized parties can read it. Encryption often uses a “key” (usually a large number) stored separately from the data to ensure that only the key holder can read it. Data encryption is often required by regulations as well as internal security standards. AWS has several offerings in the data encryption space.

Within Amazon S3, Server Side Encryption (SSE) is the simplest data encryption option available. SSE encryption manages the heavy lifting of encryption on the AWS side, SSE-S3 is the simplest method to use as encryption keys are handled and managed by AWS. SSE-S3 is based on the AES-256 encryption algorithm, asymmetric cipher. You cannot access this key or use it manually for any other encryption processing. The key is itself encrypted with a master key that is regularly rotated.

Rationale:

The encryption context is not secret. It appears in plaintext in AWS Cloud trail logs so you can use it to identify and categorize your cryptographic operations. An encryption context can consist of any keys and values. However, because it is not secret and not encrypted, your encryption context should not include sensitive information. We recommend that your encryption context describe the data being encrypted or decrypted. For example, when you encrypt a file, you might use part of the file path as encryption context.

Impact:

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets.

Default Value: 

By default, Default encryption is disabled in S3 buckets.

 

Pre-Requisite: 

  • Sign in as an admin or IAM user with the required permissions

Remediation:

Test Plan:

  • Log in to the AWS Management Console 

  • Go to the S3 console at https://s3.console.aws.amazon.com/s3

  • In the S3 choose your buckets to examine

  • Go to the properties tab 

  • Scroll down and go to Default Encryption where it may be enabled or disabled.

Using AWS CLI:

To retrieve the server-side encryption configuration for a bucket 

aws s3api get-bucket-encryption 
    --bucket <bucket name>


Implementation:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Buckets list, choose the name of the bucket that you want.

  3. Choose Properties.

  4. Under Default encryption, choose Edit. 

  5. To enable server-side encryption, choose Enable. 

  6. To enable server-side encryption using an Amazon S3-managed key, under Encryption key type, choose 

  7. Choose Save changes.  


Using AWS CLI:

This example configures default bucket encryption with Amazon S3-managed encryption.

aws s3api put-bucket-encryption --bucket bucket-name --server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
            }
        }
    ]
}'

Backout Plan:

  • Log in to the AWS Management Console

  • Go to the S3 console at https://s3.console.aws.amazon.com/s3

  • Select S3 buckets to disable the Default encryption.

  • Go to the properties tab

  • Scroll down and go to Default Encryption  and click on the Edit button

  • Click on disable radio button under server-side encryption and click on the Save button.


Using AWS CLI:

To delete the server-side encryption configuration of a bucket