Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Default Encryption should be Enabled with KMS

This rule ensures that S3 buckets have default encryption enabled with Key Management Service (KMS).

RuleS3 bucket default encryption should be enabled with KMS
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule Description:

S3 bucket default encryption should be enabled with Key Management Service (KMS) for FedRAMP Low Revision 4 compliance. This rule helps to ensure that the data stored in S3 buckets is encrypted by default using a KMS key, which provides an extra layer of security to protect sensitive data and comply with the security standards required by FedRAMP Low Revision 4.

Troubleshooting Steps:

If the default encryption with KMS is not enabled or configured properly for an S3 bucket, follow these troubleshooting steps to rectify the issue:

  2. 1.

    Verify KMS Key:

    • Check if a suitable KMS key exists in the target AWS region for S3 bucket encryption.
    • Ensure that the KMS key is appropriately configured with the necessary permissions.
  4. 2.

    Verify S3 Encryption Configuration:

    • Check the bucket's encryption settings to confirm if default encryption with KMS is enabled.
    • If not enabled, proceed to enable it.
  6. 3.

    Check IAM Permissions:

    • Ensure that the IAM user or role interacting with the S3 bucket has the necessary permissions to enable default encryption with KMS.
    • If required, update the IAM policies to grant the required permissions.
  8. 4.

    Test Encryption:

    • Upload a test file to the S3 bucket and verify if the file is automatically encrypted using the configured KMS key.

Necessary Code:

If you need to enforce default encryption with KMS for S3 buckets, you can utilize the following AWS CloudFormation template to configure the encryption settings:

Resources:
  MyS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyId: <KMS_Key_ID>

Make sure to replace 

<KMS_Key_ID>
with the appropriate KMS Key ID that you want to use for encryption.

Step-by-Step Guide for Remediation:

To enable default encryption with KMS for an existing S3 bucket or during the creation of a new bucket, follow these step-by-step instructions:

  2. 1.

    Console:

    • Sign in to the AWS Management Console.
  4. 2.

    S3 Service:

    • Navigate to the S3 service.
  6. 3.

    Bucket Selection:

    • Select the desired bucket for which you want to enable default encryption with KMS.
  8. 4.

    Properties Tab:

    • Click on the "Properties" tab in the bucket details view.
  10. 5.

    Default Encryption:

    • Scroll down to the "Default encryption" section.
  12. 6.

    Edit Default Encryption:

    • Click on the "Edit" button next to "Default encryption."
  14. 7.

    Encryption Settings:

    • Select "AWS Key Management Service (AWS KMS)" as the default encryption option.
  16. 8.

    Specify KMS Key:

    • Choose the appropriate KMS key from the list or paste the ARN of the desired KMS key.
  18. 9.

    Save Settings:

    • Click on the "Save" button to apply the changes.
  20. 10.

    Verification:

    • Upload a test file to the S3 bucket and confirm that it gets automatically encrypted using the configured KMS key.

Following these steps will enable default encryption with KMS for the selected S3 bucket, ensuring compliance with the FedRAMP Low Revision 4 guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now