S3 Bucket Does Not Enforce Encryption at Rest

Overview

*NOTE: ALL Amazon S3 buckets have bucket encryption enabled by default. S3 supports server-side encryption at the bucket and object level. Encryption of data at rest is a best practice that is required under most security frameworks (HIPAA, PCI-DSS, etc.). Encryption provides a layer of additional security if underlying storage infrastructure is compromised, and provides an additional technical safeguard against someone with physical or administrative access viewing or modifying your data.

AWS encourages customers to use encryption and makes encrypting data in S3 relatively easy.

This assessor checks if a bucket is configured to encrypt newly created objects by default.

It is possible to configure a S3 bucket policy that denies requests that do not specify server side encryption with the header x-amz-server-side-encryption. This is more complicated to maintain and requires every request to specify how objects are encrypted. This assessor does not evaluate bucket policies to identify if this alternative approach is in use.

A default encryption policy does not conflict with a custom bucket policy, so we recommend that you add a default encryption policy regardless.

Vendor

AWS

Cloud Service

CIS AWS v1.5.0 2.1.1

References

https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-4, https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html, https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources

Severity

Item Types

AWS::S3::Bucket

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​