Status: Deprecated
S3 encryption is now covered by rule S3-016: Server Side Encryption.
Ensure that your Amazon S3 buckets are protecting their sensitive content by enabling encryption at rest. With encryption at rest enabled, the Amazon S3 service can encrypt and decrypt your S3 objects using either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When dealing with sensitive or mission-critical data, it is strongly recommended that you enable encryption at rest in order to protect your S3 data from attackers or unauthorized personnel. Encryption at rest can be implemented at the bucket level (S3 Default Encryption) and object level (Server-Side Encryption). S3 Default Encryption provides a way to set the default encryption behavior for an S3 bucket. Once S3 Default Encryption is enabled for a bucket, all new objects are automatically encrypted when they are uploaded to that bucket. Server-Side Encryption (SSE) is the encryption of S3 data at its destination by the application or service that receives it. Amazon S3 encrypts your data at the object level as it writes it to the S3 service disks and decrypts it for you when you access it.
Audit
Case A: To determine if S3 Default Encryption is enabled for your Amazon S3 buckets, perform the following operations:
Audit
Case B: To determine if your Amazon S3 buckets are configured to enforce Server-Side Encryption (SSE) via bucket policies, perform the following actions:
Remediation / Resolution
Case A: To enable S3 Default Encryption for your existing Amazon S3 buckets, perform the following operations:
To enable S3 Default Encryption for your existing Amazon S3 buckets, use one of the following sets of templates, based on your requirements:1. Enable Default Encryption using the Amazon S3 key (SSE-S3):
2. Enable Default Encryption using the Amazon KMS managed key (SSE-KMS):
Remediation / Resolution
Case B: To enforce Server-Side Encryption (SSE) for your existing Amazon S3 buckets via bucket policies, perform the following actions:
References
- AWS Documentation
- General S3 FAQs
- Protecting data using encryption
- Protecting data using server-side encryption
- Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
- Identity and access management in Amazon S3
- Setting default server-side encryption behavior for Amazon S3 buckets
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-encryption
- get-bucket-policy
- put-bucket-encryption
- put-bucket-policy