Skip to main content

πŸ›‘οΈ AWS S3 Bucket is not encrypted with a KMS key🟒

  • Contextual name: πŸ›‘οΈ Bucket is not encrypted with a KMS key🟒
  • ID: /ce/ca/aws/s3/bucket-encryption-with-kms
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS S3 Buckets that are not configured to use Server-Side Encryption with AWS Key Management Service (SSE-KMS or DSSE-KMS). Encrypting data at rest in S3 ensures protection against unauthorized access to the underlying storage infrastructure.

When storing data in Amazon S3, you can choose from several mutually exclusive server-side encryption options, depending on how you manage encryption keys and the level of control you require.

  • Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3)

    By default, all S3 buckets have encryption enabled using SSE-S3. Each object is encrypted with a unique key, which is itself encrypted with a root key that Amazon S3 rotates regularly. SSE-S3 uses 256-bit Advanced Encryption Standard (AES-256) for data protection.

  • Server-Side Encryption with AWS Key Management Service Keys (SSE-KMS)

    SSE-KMS integrates Amazon S3 with AWS KMS, providing greater control over encryption keys. You can use AWS-managed keys or create and manage customer-managed keys (CMKs). SSE-KMS enables fine-grained access control, centralized key management, key rotation, and detailed key usage auditing through AWS CloudTrail.

... see more

Remediation​

Open File

Remediation​

Enable Server-Side Encryption with AWS KMS Keys​

From Command Line​

To enable server-side encryption with AWS Key Management Service (SSE-KMS or DSSE-KMS) on an AWS S3 bucket, run the following command:

aws s3api put-bucket-encryption \
    --bucket {{bucket-name}} \
    --server-side-encryption-configuration '{
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "{{aws:kms | aws:kms:dsse}}",
                    "KMSMasterKeyID": "{{kms-key-arn}}"
                },
                "BucketKeyEnabled": true
            }
        ]
    }'

This command enables KMS-based encryption for all new objects uploaded to the specified bucket.

Existing objects remain unencrypted. You can encrypt an unencrypted object to use SSE-KMS by copying the object back in place:

aws s3api copy-object 
    --bucket {{bucket-name}} \
    --key {{object-key}} \
    --body {{filepath}} \
    --bucket {{bucket-name}} \
    --key {{object-key}} \
    --body {{filepath}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest20no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP03 Automate data at rest protection2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3812no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1736no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)525no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)11no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)111no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information728no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1025no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4 Render PAN unreadable anywhere it is stored.1713no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data