More Info:

S3 buckets should have default encryption (SSE) enabled or use a bucket policy to enforce it. S3 default encryption will enable Amazon to encrypt your S3 data at the bucket level instead of object level in order to protect it from attackers or unauthorized personnel.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP, NIST, AWSWAF, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Sure, here are the step-by-step instructions to remediate the misconfiguration of S3 Buckets not having default encryption enabled in AWS:

  1. Log in to the AWS Management Console.
  2. Go to the S3 service dashboard.
  3. Click on the bucket for which you want to enable default encryption.
  4. Click on the “Properties” tab.
  5. Scroll down to the “Default encryption” section and click on “Edit”.
  6. Select “AES-256” or “AWS-KMS” as the default encryption option.
  7. If you choose “AWS-KMS”, select the KMS key that you want to use for encryption.
  8. Click on the “Save” button to save the changes.

After following these steps, the S3 bucket will have default encryption enabled, and all objects stored in the bucket will be encrypted with the selected encryption option.

Additional Reading: