Ensure that S3 Buckets are encrypted with CMK

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.CRY.03
Category: Storage
Ensure that S3 Buckets have server-side encryption at rest enabled, and are using customer-managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage.

gsl logic

S3Bucket should have encryption.serverSideEncryptionRules contain [ not serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId isEmpty() ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Go to 'S3'
2. For each incompliant S3 Bucket:
3. Go to the 'Properties' tab
4. Under 'Default encryption', choose 'Edit'
5. Make sure 'Server-side encryption' is set to 'Enable'
6. Set 'Encryption key type' to 'AWS Key Management Service key'
7. Configure your AWS KMS key
8. Save changes

References:
1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

Auto Remediation Using Cloudbots


cloudbot_name: s3_enable_encryption

What it does: Turns on encryption on the target bucket.
Usage: AUTO: s3_enable_encryption <encryption_type> <kms-key-arn> (<kms-key-arn> should be provided only if <encryption_type> is KMS)
Note: <encryption_type> can be one of the following:

  • s3 (for s3-managed keys)
  • kms (for customer managed keys - RECOMMENDED) - for kms you MUST provide the <kms-key-arn>.
    EXAMPLES:
    s3_enable_encryption s3
    s3_enable_encryption kms arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
  • Simple Storage Service (S3)

    Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

    Compliance Frameworks

    HIPAA GDPR PCIDSS32 ISO27001 NIST_CSF BP_0318