Skip to main content

πŸ›‘οΈ AWS S3 Bucket is not encrypted with a KMS key🟒

  • Contextual name: πŸ›‘οΈ Bucket is not encrypted with a KMS key🟒
  • ID: /ce/ca/aws/s3/bucket-encryption-with-kms
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS S3 Buckets that are not configured to use Server-Side Encryption with AWS Key Management Service (SSE-KMS or DSSE-KMS). Encrypting data at rest in S3 ensures protection against unauthorized access to the underlying storage infrastructure.

When storing data in Amazon S3, you can choose from several mutually exclusive server-side encryption options, depending on how you manage encryption keys and the level of control you require.

  • Server-Side Encryption with Amazon S3 Managed Keys (SSE-S3)

    By default, all S3 buckets have encryption enabled using SSE-S3. Each object is encrypted with a unique key, which is itself encrypted with a root key that Amazon S3 rotates regularly. SSE-S3 uses 256-bit Advanced Encryption Standard (AES-256) for data protection.

  • Server-Side Encryption with AWS Key Management Service Keys (SSE-KMS)

    SSE-KMS integrates Amazon S3 with AWS KMS, providing greater control over encryption keys. You can use AWS-managed keys or create and manage customer-managed keys (CMKs). SSE-KMS enables fine-grained access control, centralized key management, key rotation, and detailed key usage auditing through AWS CloudTrail.

... see more

Remediation​

Open File

Remediation​

Enable Server-Side Encryption with AWS KMS Keys​

From Command Line​

To enable server-side encryption with AWS Key Management Service (SSE-KMS or DSSE-KMS) on an AWS S3 bucket, run the following command:

aws s3api put-bucket-encryption \
    --bucket {{bucket-name}} \
    --server-side-encryption-configuration '{
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "{{aws:kms | aws:kms:dsse}}",
                    "KMSMasterKeyID": "{{kms-key-arn}}"
                },
                "BucketKeyEnabled": true
            }
        ]
    }'

This command enables KMS-based encryption for all new objects uploaded to the specified bucket.

Existing objects remain unencrypted. You can encrypt an unencrypted object to use SSE-KMS by copying the object back in place:

aws s3api copy-object 
    --bucket {{bucket-name}} \
    --key {{object-key}} \
    --body {{filepath}} \
    --bucket {{bucket-name}} \
    --key {{object-key}} \
    --body {{filepath}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest14no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP03 Automate data at rest protection2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption54no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)3812no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1632no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1731no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)520no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)11no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)32no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)131no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)20no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-9 Protection of Audit Information (L)(M)(H)111no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)32no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)131no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)20no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected159no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected135no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected151no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-9 Protection of Audit Information726no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks31no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(2) Cryptographic Key Establishment and Management _ Symmetric Keys14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection421no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31732no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1020no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection19no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 3.4 Render PAN unreadable anywhere it is stored.1713no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 3.5.1 PAN is rendered unreadable anywhere it is stored.313no data