S3 encrypted with cmks remediation

Using Console

Using CLI

To remediate S3 Buckets not being encrypted with Customer-Provided CMKs in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your computer.
Identify the S3 bucket that needs to be remediated.
Check if the S3 bucket is encrypted with a Customer-Provided CMK by running the following command:
```
aws s3api get-bucket-encryption --bucket <bucket-name>
```
If the output of the above command shows that the S3 bucket is not encrypted with a Customer-Provided CMK, proceed with the following steps.
Create a Customer-Provided CMK in AWS Key Management Service (KMS) by running the following command:
```
aws kms create-key --description "Customer-Provided CMK for S3 Bucket Encryption"
```
Take note of the KeyId value returned by the above command, as it will be used in the next step.

Create a new bucket policy for the S3 bucket by running the following command:

aws s3api put-bucket-policy --bucket <bucket-name> --policy '{
  "Version": "2012-10-17",
  "Id": "PutEncryptedBucketPolicy",
  "Statement": [
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "RequireCustomerProvidedCMK",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "true"
        }
      }
    },
    {
      "Sid": "AllowEncryptedObjectUploads",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        },
        "StringEquals": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "<KeyId>"
        }
      }
    }
  ]
}'

Replace <bucket-name> with the name of the S3 bucket and <KeyId> with the KeyId value obtained in step 6.

Verify that the S3 bucket is now encrypted with the Customer-Provided CMK by running the following command:
```
aws s3api get-bucket-encryption --bucket <bucket-name>
```
The output of the above command should show that the S3 bucket is now encrypted with the Customer-Provided CMK.
Repeat the above steps for any other S3 buckets that need to be remediated.

Using Python

To remediate the S3 Buckets should be encrypted with customer-provided CMKs misconfiguration in AWS using Python, follow these steps:

Identify the S3 buckets that are not encrypted with customer-provided CMKs. You can use the following Python code to list all the S3 buckets in your AWS account:

import boto3

s3 = boto3.client('s3')

response = s3.list_buckets()

for bucket in response['Buckets']:
    print(bucket['Name'])

For each S3 bucket that is not encrypted with customer-provided CMKs, enable default encryption with a customer-provided CMK. You can use the following Python code to enable default encryption for an S3 bucket:

import boto3

s3 = boto3.client('s3')

bucket_name = 'your-bucket-name'
kms_key_id = 'your-kms-key-id'

s3.put_bucket_encryption(
    Bucket=bucket_name,
    ServerSideEncryptionConfiguration={
        'Rules': [
            {
                'ApplyServerSideEncryptionByDefault': {
                    'SSEAlgorithm': 'aws:kms',
                    'KMSMasterKeyID': kms_key_id
                }
            }
        ]
    }
)

Replace your-bucket-name with the name of the S3 bucket and your-kms-key-id with the ID of the customer-provided CMK.

Verify that the S3 bucket is now encrypted with the customer-provided CMK. You can use the following Python code to check the encryption status of an S3 bucket:

import boto3

s3 = boto3.client('s3')

bucket_name = 'your-bucket-name'

response = s3.get_bucket_encryption(
    Bucket=bucket_name
)

print(response)

This will print the encryption configuration for the S3 bucket, including the customer-provided CMK ID.Repeat these steps for all the S3 buckets that are not encrypted with customer-provided CMKs.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 encrypted with cmks remediation

Triage and Remediation

Remediation