Profile Applicability:

  • Level 1

Description:
Amazon S3 supports server-side encryption with AWS Key Management Service (KMS) keys (SSE-KMS) to protect your data at rest. When KMS encryption is enabled on S3 buckets, objects are encrypted with a customer-managed AWS KMS key, providing an additional layer of security. This ensures that only authorized users with the necessary permissions can access the encryption keys, offering control over who can decrypt the data. Enabling KMS encryption on S3 buckets is essential for compliance and ensuring the protection of sensitive data.

Rationale:
Using KMS encryption for S3 objects ensures that data is protected both at rest and in transit. KMS enables centralized key management and auditing capabilities, which are essential for meeting compliance requirements such as GDPR, HIPAA, SOC 2, and PCI-DSS. Enabling KMS encryption on S3 buckets helps prevent unauthorized access to sensitive data, as the encryption keys are tightly controlled and audited.

Impact:
 Pros:

  • Provides encryption at rest, ensuring data protection even if the storage infrastructure is compromised.

  • Offers centralized management of encryption keys through AWS KMS, allowing control over who can access and decrypt the data.

  • Enhances compliance with industry standards and regulations requiring encryption of sensitive data.

  • Integrates seamlessly with AWS IAM policies for fine-grained access control.

Cons:

  • Requires managing KMS keys and their permissions.

  • KMS encryption may incur additional costs depending on key usage and requests.

  • May introduce slight latency due to the encryption and decryption processes.

Default Value:
By default, S3 buckets do not have KMS encryption enabled. It must be explicitly configured to use AWS KMS keys for server-side encryption.

Pre-requisites:

  • AWS IAM permissions to manage S3 and KMS settings:
         s3:PutBucketEncryption
     s3:GetBucketEncryption
     kms:Encrypt
     kms:Decrypt

  • Access to the S3 bucket and the appropriate KMS key to enable encryption.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to check.

  4. Under the Properties tab, scroll down to the Default encryption section.

  5. Check if KMS encryption is enabled. The encryption type should be listed as AWS-KMS and the KMS key ID should be displayed.

  6. If KMS encryption is not enabled, click Edit, select AWS-KMS under Encryption, and choose the appropriate KMS key.

  7. Save the changes and verify that KMS encryption is now enabled.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check if KMS encryption is enabled:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

  3. The output should show "SSEAlgorithm": "aws:kms" if KMS encryption is enabled.

  4. If KMS encryption is not enabled, enable it by running:

    aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<KMS_KEY_ID>"}}]}'

  1. Replace <KMS_KEY_ID> with the appropriate KMS key ID for your organization.

  2. Verify the updated encryption configuration:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the bucket you want to configure.

  2. Under the Properties tab, go to the Default encryption section.

  3. Choose AWS-KMS as the encryption method and select the appropriate KMS key (or create a new one if needed).

  4. Save the configuration and verify that KMS encryption is enabled.

Using AWS CLI:

  1. To enable KMS encryption for a bucket, run the following command:

    aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<KMS_KEY_ID>"}}]}'

  1. Verify the encryption configuration:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

Backout Plan: 

Using AWS Console:

  1. If enabling KMS encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Properties tab.

  3. Under Default Encryption, choose Disable encryption or change the encryption method to S3-managed keys (if appropriate).

  4. Save the changes and monitor the bucket to ensure it functions as expected.

Using AWS CLI:

  1. To disable KMS encryption or revert to another encryption method, run:

    aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{

  "Rules": [

    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }
  ]
}'

  1. Verify the encryption settings have been updated:

    aws s3api get-bucket-encryption --bucket <BUCKET_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Enable S3 KMS encryption to protect sensitive data at rest.

7.1

8.1

Configure S3 buckets with KMS encryption to ensure data is protected from unauthorized access.