AWS S3 buckets do not have server side encryption
Description
SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.
Code Example
{
"aws s3api put-bucket-encryption
--bucket awsexamplebucket
--server-side-encryption-configuration
'{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'",
}Remediation
- AWS Console*
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/s3/ [Amazon S3 console].
. Select the name of the bucket that you want from the Bucket name list.
. Select * Properties*.
. Select * Default encryption*.
. To use keys that are managed by Amazon S3 for default encryption, select * AES-256*, then select * Save*.
. If you want to use CMKs that are stored in AWS KMS for default encryption, follow these steps: +
.. Select * AWS-KMS*. +
.. Select a customer-managed AWS KMS CMK that you have created, using one of these methods: a) In the list that appears, select the * AWS KMS CMK*. + b) In the list that appears, select * Custom KMS ARN*, and then enter the * Amazon Resource Name of the AWS KMS CMK*. +
.. Click * Save*. + The steps above will encrypt all new files going forward. + To encrypt all existing files, follow the steps below. + Note that this will appear as an object modification, which will be logged if access logging is configured, and will count as a bucket write operation for billing purposes. + Be mindful of applying these steps on large buckets.
. Navigate to the bucket * Overview* tab.
. Select objects to encrypt.
. From the * Actions* dropdown, select * Change encryption*.
. Select the desired encryption method, then click * Save*.
. The progress bar for the background job displays at the bottom of the screen.
- CLI Command*
To set encryption at the bucket level for all new objects, use the following command:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0073 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_19 |