Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable S3 Bucket Keys

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: S3-028

Ensure that your Amazon S3 buckets are configured with bucket keys in order to reduce the request costs of Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) by up to 99% by decreasing the request traffic from Amazon S3 to KMS, without making any changes to your client applications. By default, S3 Bucket Keys are not enabled.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Amazon S3 service can encrypt and decrypt your S3 objects using AWS KMS-managed keys (SSE-KMS). Applications that access millions or billions of S3 objects encrypted with SSE-KMS can generate large request volumes to AWS Key Management Service. This is because KMS-encrypted objects in S3 use an individual KMS-managed key and S3 makes a call to KMS for each read and write request to these objects. With S3 Bucket Keys feature, instead of using an individual KMS key for each KMS encrypted object, a bucket-level key is generated by AWS Key Management Service. Amazon S3 uses this bucket key to create unique data keys for objects in a bucket, avoiding the need for additional KMS requests to complete encryption operations, and this translates to reduction of request traffic from Amazon S3 to KMS, allowing you to access encrypted objects within your S3 buckets at a fraction of the previous cost.

Note: The S3 Bucket Key feature can be enabled only for Amazon S3 buckets configured with Server-Side Encryption using AWS Key Management Service (SSE-KMS).


Audit

To determine if bucket keys are enabled for your Amazon S3 buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://s3.console.aws.amazon.com/s3.

03 Click on the name (link) of the S3 bucket that you want to examine to access the S3 resource configuration.

04 Select the Properties tab, locate the Default encryption section, and check the Bucket Key attribute status. If the Bucket Key attribute is not listed in the Default encryption section, the Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) is not enabled for the selected S3 bucket. If the Bucket Key attribute is set to Disabled, the S3 Bucket Key feature is not currently enabled for the selected Amazon S3 bucket.

05 Repeat step no. 3 and 4 for each Amazon S3 bucket that you want to examine, available in your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon S3 buckets available within your cloud account:

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return the name(s) of your Amazon S3 bucket(s):

[
    "cc-prod-log-bucket",
    "cc-prod-api-bucket"
]

03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to examine as identifier parameter and custom query filters to describe the S3 Bucket Key feature status for the selected bucket:

aws s3api get-bucket-encryption
  --bucket cc-prod-log-bucket
  --query 'ServerSideEncryptionConfiguration.Rules[?ApplyServerSideEncryptionByDefault.SSEAlgorithm==`aws:kms`].BucketKeyEnabled'

04 The command output should return the requested feature status (true for enabled, false for disabled). If the command output returns an empty array (i.e. []) or an error (i.e. The server side encryption configuration was not found), the Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) is not enabled for the selected S3 bucket:

[
    false
]

If the get-bucket-encryption command output returns false, as shown in the example above, the S3 Bucket Key feature is not enabled for the selected Amazon S3 bucket.

05 Repeat step no. 3 and 4 for each Amazon S3 bucket that you want to examine, created within your AWS cloud account.

Remediation / Resolution

To enable bucket keys for your existing Amazon S3 buckets, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3 Bucket Key",
  "Resources": {
    "EncryptedS3Bucket": {
      "Properties": {
        "BucketName": "cc-prod-log-bucket",
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
              },
              "BucketKeyEnabled": true
            }
          ]
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3 Bucket Key
Resources:
  EncryptedS3Bucket:
    Properties:
      BucketName: cc-prod-log-bucket
        BucketEncryption:
          ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
            BucketKeyEnabled: true
    Type: AWS::S3::Bucket

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "encrypted-bucket" {
  bucket = "cc-prod-log-bucket"
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
        sse_algorithm = "aws:kms"
      }
      bucket_key_enabled = true
    }
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://s3.console.aws.amazon.com/s3.

03 Click on the name (link) of the S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console top menu, then choose Edit within the Default encryption section.

05 On the Edit default encryption configuration page, select Enable under Bucket Key to configure the selected Amazon S3 bucket to use an S3 bucket key for Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS). Choose Save changes to apply the configuration changes. Once enabled, the S3 Bucket Key feature is applied to new objects in the selected bucket. Existing S3 objects are not affected.

06 Repeat steps no. 3 – 5 to configure bucket keys for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter, to describe the default Server-Side Encryption (SSE) configuration available for the selected S3 bucket:

aws s3api get-bucket-encryption
  --bucket cc-prod-log-bucket
  --query 'ServerSideEncryptionConfiguration'

02 The command output should return the requested configuration information:

{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
            }
        }
    ]
}

03 Run put-bucket-encryption command (OSX/Linux/UNIX) using the Server-Side Encryption (SSE) configuration returned at the previous step as value for the --server-side-encryption-configuration parameter, to enable the S3 Bucket Key feature for the selected Amazon S3 bucket (the command does not produce an output):

aws s3api put-bucket-encryption --bucket cc-prod-log-bucket --server-side-encryption-configuration '{
    "Rules": [
        {
            "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
            },
            "BucketKeyEnabled": true
        }
    ]
}'

04 Repeat steps no. 1 – 3 to configure bucket keys for other Amazon S3 buckets provisioned within your AWS cloud account.

References

Publication date Jan 8, 2021