Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption Should Be Enabled with KMS

This rule ensures that S3 buckets have default encryption enabled with Key Management Service (KMS).

RuleS3 bucket default encryption should be enabled with KMS
FrameworkCISA-cyber-essentials
Severity
Medium

Rule Description

S3 bucket default encryption with KMS should be enabled for CISA Cyber Essentials compliance. This rule ensures that all objects stored in the S3 bucket are automatically encrypted using AWS Key Management Service (KMS) for enhanced security and compliance.

Enabling default encryption with KMS provides an added layer of protection for sensitive data stored in S3 buckets and helps organizations adhere to data protection regulations such as CISA Cyber Essentials.

Troubleshooting Steps

If the default encryption with KMS is not enabled for your S3 bucket, you can follow these troubleshooting steps:

  2. 1.

    Check S3 Bucket Encryption Settings:

    • Go to the Amazon S3 console.
    • Select the appropriate S3 bucket.
    • Click on the "Properties" tab.
    • In the "Default encryption" section, ensure that the encryption type is set to "AWS Key Management Service (AWS KMS)".
    • Verify that a KMS key ARN is specified as the default encryption key.
  4. 2.

    Check KMS Key Policy:

    • Go to the AWS Key Management Service (KMS) console.
    • Select the appropriate KMS key used for S3 bucket encryption.
    • Click on the "Key policy" tab.
    • Ensure that the key policy allows the necessary permissions for encrypting and decrypting objects in the S3 bucket.
  6. 3.

    Check IAM Policies and Roles:

    • Verify that the IAM policies and roles associated with your AWS account or user have the necessary permissions to enable default encryption with KMS for S3 buckets.

Necessary Codes

If default encryption with KMS is not enabled for an S3 bucket, you can use the following AWS CLI command to enable it:

aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "<KMS-key-ID>"}}]}'

Make sure to replace 

<bucket-name>
with the name of your S3 bucket and 
<KMS-key-ID>
with the ARN of the desired KMS key.

Remediation Steps

To enable default encryption with KMS for an S3 bucket, follow these step-by-step instructions:

  2. 1.

    Open the AWS Management Console and go to the Amazon S3 service.

  4. 2.

    Select the desired S3 bucket for which you want to enable default encryption.

  6. 3.

    Click on the "Properties" tab.

  8. 4.

    In the "Default encryption" section, click on the "Edit" button.

  10. 5.

    Choose "AWS Key Management Service (AWS KMS)" as the encryption type.

  12. 6.

    Select the appropriate KMS key from the dropdown menu or enter the ARN of the desired KMS key manually.

  14. 7.

    Click on the "Save" button to enable default encryption with KMS for the S3 bucket.

Once the default encryption with KMS is enabled, all objects stored in the S3 bucket will be automatically encrypted using the specified KMS key, enhancing the security and compliance of your data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now