Rule: S3 Bucket Default Encryption Should Be Enabled with KMS
This rule ensures that S3 bucket default encryption is enabled with KMS for better security measures.
| Rule | S3 bucket default encryption should be enabled with KMS |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
The rule requires that default encryption is enabled for Amazon S3 buckets using AWS Key Management Service (KMS) with NIST 800-53 Revision 5 compliance.
Troubleshooting Steps
If default encryption with KMS is not enabled for S3 buckets, follow these troubleshooting steps:
- 1.Check bucket encryption settings: Verify if default encryption is enabled for the S3 bucket.
- 2.Check encryption configuration: Ensure that the encryption configuration is set to use AWS Key Management Service (KMS).
- 3.Verify KMS key usage policy: Validate that the KMS key associated with the bucket has the necessary key usage policy to meet NIST 800-53 Revision 5 compliance.
- 4.Check KMS key configuration: Ensure that the KMS key is properly configured and is not expired or disabled.
- 5.Verify IAM roles and policies: Ensure that the IAM roles and policies associated with the bucket have the necessary permissions to access and use the KMS key.
Necessary Codes
No additional codes are required for this configuration. However, here are the necessary AWS CLI commands for verification and remediation:
- To check the encryption settings of an S3 bucket:
aws s3api get-bucket-encryption --bucket <bucket_name>
- To enable default encryption using KMS for an S3 bucket:
aws s3api put-bucket-encryption --bucket <bucket_name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID":"<kms_key_id>"}}]}'
Note: Replace
<bucket_name><kms_key_id>Step-by-Step Guide for Remediation
Follow these steps to enable default encryption with KMS for an S3 bucket:
- 1.
Verify current encryption settings:
- Run the following AWS CLI command to check if default encryption is already enabled for the bucket:
aws s3api get-bucket-encryption --bucket <bucket_name>- If default encryption is already enabled and configured with KMS, proceed to the next step. Otherwise, continue with the next steps for remediation.
- 2.
Create or identify a KMS key:
- If you don't have a KMS key, create one using the AWS Management Console or AWS CLI. Make sure the KMS key has the desired configuration and meets the NIST 800-53 Revision 5 compliance requirements.
- Note down the KMS key ID for later use.
- 3.
Enable default encryption with KMS:
- Run the following AWS CLI command to enable default encryption using KMS for the S3 bucket:
aws s3api put-bucket-encryption --bucket <bucket_name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID":"<kms_key_id>"}}]}'- Replace
with the name of the S3 bucket you want to enable default encryption for.<bucket_name> - Replace
with the ID of the KMS key you want to use for encryption.<kms_key_id>
- 4.
Verify the encryption configuration:
- Run the following AWS CLI command to verify the encryption configuration of the S3 bucket:
aws s3api get-bucket-encryption --bucket <bucket_name>- Ensure that the response shows the desired encryption configuration with the specified KMS key.
Once you have completed these steps, default encryption with KMS will be enabled for the specified S3 bucket, meeting the NIST 800-53 Revision 5 compliance requirement.