Ensure Encryption-at-Rest Rule
This rule ensures all S3 buckets employ encryption-at-rest.
| Rule | Ensure all S3 buckets employ encryption-at-rest |
| Framework | cis_v140 |
| Severity | ✔ High |
Rule Description
The rule cis_v140 requires that all S3 buckets employ encryption-at-rest. Encryption-at-rest ensures that data stored in S3 buckets is protected and inaccessible to unauthorized individuals even if the physical storage devices are compromised.
Troubleshooting Steps
- 1.Check if encryption-at-rest is enabled for the S3 bucket.
- 2.Verify if the appropriate encryption algorithm and key management service (KMS) are used.
- 3.Ensure that access permissions are correctly configured to allow encryption.
Necessary Code
No specific code is provided for this policy.
Step-by-Step Guide for Remediation
Follow these steps to ensure that encryption-at-rest is enabled for S3 buckets:
- 1.
Sign in to the AWS Management Console.
- 2.
Open the Amazon S3 service.
- 3.
Select the S3 bucket you want to enable encryption-at-rest for.
- 4.
Click on the "Properties" tab.
- 5.
Under "Default encryption," check if encryption is enabled. If not, click on "Edit."
- 6.
Choose the encryption algorithm you want to use (e.g., SSE-S3, SSE-KMS, or SSE-C) and configure the settings accordingly.
- 7.
If using SSE-KMS, select the Key Management Service (KMS) key you want to use from the drop-down list.
- 8.
Click "Save" to apply the encryption settings.
- 9.
Repeat steps 3-8 for each S3 bucket to ensure all buckets are encrypted-at-rest.
It is recommended to regularly review the encryption settings and perform audits to ensure adherence to this policy.