Description:
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon S3 provides a variety of no or low, cost encryption options to protect data at rest.
Rationale:
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Impact:
Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.
Default value:
Encryption is disabled by default
Pre-Requisite:
S3 bucket
Remediation:
Test Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Properties'.
Verify that Default Encryption is enabled, and displays either AES-256, AWS-KMS, SSE-KMS or SSE-S3.
Using AWS CLI
Run command to list buckets
aws s3 ls
For each bucket, run
aws s3api get-bucket-encryption --bucket <bucket-name>
Verify that either
"SSEAlgorithm": "AES256"
or
"SSEAlgorithm": "aws:kms"```
is displayed.
Implementation Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Properties'.
Click edit on Default Encryption.
Select server-side encryption enable and select either SSE-KMS or SSE-S3.
- Click save changes.
Using AWS CLI
Run either
aws s3api put-bucket-encryption --bucket <buckrt-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
or
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'
Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.
Backout Plan:
AWS Console Process
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Properties'.
Click edit on Default Encryption.
Select Disable and click on save changes.
Using AWS CLI
aws s3api delete-bucket-encryption \
--bucket <bucket name>