Ensure that default encryption is enabled at the bucket level to automatically encrypt all objects when stored in Amazon S3. The S3 objects are encrypted during the upload process using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel. Without S3 default encryption, to encrypt all objects stored in a bucket, you must include encryption information (i.e. "x-amz-server-side-encryption" header) with every object storage request, as described by the Server Side Encryption (SSE) conformity rule. Also, to encrypt S3 objects without default encryption, you must set up a bucket policy to deny storage requests that don`t include the encryption information.
To determine if your Amazon S3 buckets have Default Encryption feature enabled, perform the following:
Remediation / Resolution
To enable default encryption for your existing Amazon S3 buckets, perform the following:
- AWS Documentation
- Amazon Simple Storage Service (S3) FAQs
- Amazon S3 Default Encryption for S3 Buckets
- Protecting Data Using Server-Side Encryption
- Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
S3 Bucket Default Encryption
Risk level: High