Control: 2.1.1 Ensure all S3 buckets employ encryption-at-rest
Description
Amazon S3 provides multiple encryption options to protect data at rest. With default encryption, you can set the behavior for a S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects can be encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS) (SSE-KMS).
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Remediation
From Console
- Open AW S3 console S3.
- In the buckets list, choose the Name of the bucket that you want.
- Go to Properties tab and choose Edit under Default encryption.
- Select Enable and either select
SSE-S3
orSSE-KMS
. - Click Save changes.
- Repeat for all the buckets in your AWS account lacking encryption.
From Command Line
Run either
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm": "AES256"}}]}'
or
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'
Note: The KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v140_2_1_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v140_2_1_1 --share
SQL
This control uses a named query:
s3_bucket_default_encryption_enabled