Description:

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon S3 provides a variety of no or low, cost encryption options to protect data at rest.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Impact:

Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.

Default value:

Encryption is disabled by default

Pre-Requisite:

S3 bucket

Remediation:

Test Plan:

  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Click on the bucket name you want to open. 

  3. Click on 'Properties'.  

  4. Verify that Default Encryption is enabled, and displays either AES-256, AWS-KMS, SSE-KMS or SSE-S3.  


Using AWS CLI

Run command to list buckets 

aws s3 ls

For each bucket, run 

aws s3api get-bucket-encryption --bucket <bucket-name>

Verify that either

 "SSEAlgorithm": "AES256"

 or 

"SSEAlgorithm": "aws:kms"``` 

is displayed.

Implementation Plan:

  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Click on the bucket name you want to open.

  3. Click on 'Properties'.  

  4. Click edit on Default Encryption.  

  5. Select server-side encryption enable and select either SSE-KMS or SSE-S3.  

  6. Click save changes.



  • Using AWS CLI

  • Run either

aws s3api put-bucket-encryption --bucket <buckrt-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

or

aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'

Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.

Backout Plan:

  • AWS Console Process

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Click on the bucket name you want to open.

  3. Click on 'Properties'.  

  4. Click edit on Default Encryption. 

  5. Select Disable and click on save changes.  



Using AWS CLI

aws s3api delete-bucket-encryption \
--bucket <bucket name>

Reference:

Setting default server-side encryption behavior for Amazon S3 buckets - Amazon Simple Storage Service

s3api — AWS CLI 1.27.33 Command Reference (amazon.com)