S3 Buckets Should Be Encrypted with Customer-Provided CMKs

More Info:

AWS S3 buckets should be configured to use Server-Side Encryption with customer managed CMKs instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process.

Risk Level

Low

Address

Security

Compliance Standards

NIST, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate S3 Buckets not being encrypted with Customer-Provided CMKs in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your computer.
Identify the S3 bucket that needs to be remediated.
Check if the S3 bucket is encrypted with a Customer-Provided CMK by running the following command:
```
aws s3api get-bucket-encryption --bucket <bucket-name>
```
If the output of the above command shows that the S3 bucket is not encrypted with a Customer-Provided CMK, proceed with the following steps.
Create a Customer-Provided CMK in AWS Key Management Service (KMS) by running the following command:
```
aws kms create-key --description "Customer-Provided CMK for S3 Bucket Encryption"
```
Take note of the KeyId value returned by the above command, as it will be used in the next step.

Create a new bucket policy for the S3 bucket by running the following command:

aws s3api put-bucket-policy --bucket <bucket-name> --policy '{
  "Version": "2012-10-17",
  "Id": "PutEncryptedBucketPolicy",
  "Statement": [
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "RequireCustomerProvidedCMK",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "true"
        }
      }
    },
    {
      "Sid": "AllowEncryptedObjectUploads",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        },
        "StringEquals": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "<KeyId>"
        }
      }
    }
  ]
}'

Replace <bucket-name> with the name of the S3 bucket and <KeyId> with the KeyId value obtained in step 6.

Verify that the S3 bucket is now encrypted with the Customer-Provided CMK by running the following command:
```
aws s3api get-bucket-encryption --bucket <bucket-name>
```
The output of the above command should show that the S3 bucket is now encrypted with the Customer-Provided CMK.
Repeat the above steps for any other S3 buckets that need to be remediated.

Using Python

To remediate the S3 Buckets should be encrypted with customer-provided CMKs misconfiguration in AWS using Python, follow these steps:

Identify the S3 buckets that are not encrypted with customer-provided CMKs. You can use the following Python code to list all the S3 buckets in your AWS account:

import boto3

s3 = boto3.client('s3')

response = s3.list_buckets()

for bucket in response['Buckets']:
    print(bucket['Name'])

For each S3 bucket that is not encrypted with customer-provided CMKs, enable default encryption with a customer-provided CMK. You can use the following Python code to enable default encryption for an S3 bucket:

import boto3

s3 = boto3.client('s3')

bucket_name = 'your-bucket-name'
kms_key_id = 'your-kms-key-id'

s3.put_bucket_encryption(
    Bucket=bucket_name,
    ServerSideEncryptionConfiguration={
        'Rules': [
            {
                'ApplyServerSideEncryptionByDefault': {
                    'SSEAlgorithm': 'aws:kms',
                    'KMSMasterKeyID': kms_key_id
                }
            }
        ]
    }
)

Replace your-bucket-name with the name of the S3 bucket and your-kms-key-id with the ID of the customer-provided CMK.

Verify that the S3 bucket is now encrypted with the customer-provided CMK. You can use the following Python code to check the encryption status of an S3 bucket:

import boto3

s3 = boto3.client('s3')

bucket_name = 'your-bucket-name'

response = s3.get_bucket_encryption(
    Bucket=bucket_name
)

print(response)

This will print the encryption configuration for the S3 bucket, including the customer-provided CMK ID.Repeat these steps for all the S3 buckets that are not encrypted with customer-provided CMKs.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Buckets Should Be Encrypted with Customer-Provided CMKs

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: