Profile Applicability:

  • Level 1


Description:

This control ensures that all Amazon S3 buckets have default encryption (Server-Side Encryption - SSE) enabled, or alternatively, enforce encryption at upload time via a bucket policy. Enabling default encryption ensures all new objects stored in the bucket are automatically encrypted at rest using SSE-S3 (AES-256), SSE-KMS (AWS Key Management Service), or SSE-C (Customer-provided keys).This helps protect data against unauthorized access, comply with data protection standards, and maintain consistent encryption practices across the organization.


Rationale:

Encryption of S3 data at rest is a key control for protecting sensitive information and ensuring compliance with frameworks such as CIS, SOC 2, ISO 27001, HIPAA, and GDPR.
Without default encryption or an enforcing bucket policy, users could inadvertently upload unencrypted data, resulting in:

  • Data exposure risks.

  • Compliance violations.

  • Potential data integrity issues.

By enabling default encryption or enforcing encryption through a policy, all new data is secured automatically, even if clients do not explicitly request encryption during upload.


Impact:

  • Positive Impact:Ensures all stored data is encrypted by default.Simplifies compliance with encryption and data privacy regulations.Reduces risk of human error or application misconfiguration.
  • Negative Impact:Minor increase in KMS API costs if using SSE-KMS.Slight latency increase during encryption/decryption (typically negligible).


Default Value:

By default, S3 buckets do not have encryption enabled. Encryption must be manually enabled per bucket or enforced via a bucket policy.


Pre-Requisite:

  • IAM permissions required:

    • s3:GetBucketEncryption

    • s3:PutBucketEncryption

    • s3:PutBucketPolicy

  • Optional: AWS KMS key (CMK) for SSE-KMS encryption.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon S3 → Buckets.

  3. Select the bucket.

  4. Under the Properties tab, scroll to Default encryption.

  5. Verify that Default encryption is Enabled.

  6. Confirm whether the encryption type is SSE-S3 or SSE-KMS.

  7. If not enabled, proceed with the implementation plan.


Implementation Plan

Using AWS Console:

  1. Go to Amazon S3 → Buckets → [Your Bucket] → Properties.

  2. Scroll to Default encryption and click Edit.

  3. Enable Default encryption.

  4. Choose one of the following encryption methods:

    • SSE-S3 (AES-256) — Amazon-managed keys.

    • SSE-KMS — AWS Key Management Service with a CMK.

  5. Click Save changes.


Backout Plan

Using AWS Console:

  1. Navigate to Amazon S3 → Buckets → [Your Bucket] → Properties.

  2. Scroll to Default encryption and click Edit.

  3. Disable Default encryption and save changes.


References: