Ensure that your AWS S3 buckets are configured to use Server-Side Encryption with customer managed CMKs instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process. Once the server-side encryption is configured to use customer-provided keys by default, Amazon S3 will automatically encrypt any new objects with the specified KMS CMK.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using Server-Side Encryption with customer managed CMKs allows you to set your own encryption keys, therefore you have full control over who can use these encryption keys to access your Amazon S3 data. AWS Key Management Service (KMS) allows you to easily rotate, disable and audit the Customer Master Keys (CMKs) configured for your Amazon S3 buckets.
To determine the encryption status and configuration for your AWS S3 buckets, perform the following actions:
Remediation / Resolution
To encrypt objects using customer-provided AWS KMS CMKs, perform the following:
Case A: To configure your Amazon S3 buckets to encrypt objects with existing customer-provided AWS KMS CMKs, perform the following actions:
Case B: To configure your Amazon S3 buckets to encrypt objects with a new customer-provided AWS KMS CMK, perform the following actions:
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- Protecting Data in Amazon S3
- Protecting Data Using Encryption
- Protecting Data Using Server-Side Encryption
- Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C)
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
S3 Buckets Encrypted with Customer-Provided CMKs
Risk level: Medium