More Info:
AWS S3 buckets should be configured to use Server-Side Encryption with customer managed CMKs instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process.Risk Level
LowAddress
SecurityCompliance Standards
NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of S3 Buckets not being encrypted with Customer-Provided CMKs in AWS, follow these step-by-step instructions:
- Log in to the AWS Management Console.
- Go to the S3 service.
- Select the bucket that needs to be encrypted with a Customer-Provided CMK.
- Click on the “Properties” tab.
- Scroll down to the “Default encryption” section and click on “Edit”.
- Select “AWS-KMS” as the encryption type.
- Choose “Customer managed CMK” for the master key.
- Select the CMK that you want to use for encryption from the drop-down menu.
- Click on “Save changes”.
Using CLI
Using CLI
To remediate S3 Buckets not being encrypted with Customer-Provided CMKs in AWS using AWS CLI, follow these steps:
- Open the AWS CLI on your computer.
- Identify the S3 bucket that needs to be remediated.
-
Check if the S3 bucket is encrypted with a Customer-Provided CMK by running the following command:
- If the output of the above command shows that the S3 bucket is not encrypted with a Customer-Provided CMK, proceed with the following steps.
-
Create a Customer-Provided CMK in AWS Key Management Service (KMS) by running the following command:
-
Take note of the
KeyId
value returned by the above command, as it will be used in the next step. -
Create a new bucket policy for the S3 bucket by running the following command:
Replace
<bucket-name>
with the name of the S3 bucket and<KeyId>
with theKeyId
value obtained in step 6. -
Verify that the S3 bucket is now encrypted with the Customer-Provided CMK by running the following command:
The output of the above command should show that the S3 bucket is now encrypted with the Customer-Provided CMK.
- Repeat the above steps for any other S3 buckets that need to be remediated.
Using Python
Using Python
To remediate the S3 Buckets should be encrypted with customer-provided CMKs misconfiguration in AWS using Python, follow these steps:Replace This will print the encryption configuration for the S3 bucket, including the customer-provided CMK ID.Repeat these steps for all the S3 buckets that are not encrypted with customer-provided CMKs.
- Identify the S3 buckets that are not encrypted with customer-provided CMKs. You can use the following Python code to list all the S3 buckets in your AWS account:
- For each S3 bucket that is not encrypted with customer-provided CMKs, enable default encryption with a customer-provided CMK. You can use the following Python code to enable default encryption for an S3 bucket:
your-bucket-name
with the name of the S3 bucket and your-kms-key-id
with the ID of the customer-provided CMK.- Verify that the S3 bucket is now encrypted with the customer-provided CMK. You can use the following Python code to check the encryption status of an S3 bucket: