Skip to main content

lacework-global-217

Ensure the S3 bucket has default server-side encryption enabled

Description

With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket so that all new objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3 managed keys (SSE-S3) or AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS).

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 will be automatically encrypted at no additional cost and with no impact on performance.

Remediation

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Buckets list, select the bucket.

  3. Click Properties.

  4. Under Default encryption, click edit.

  5. Select an encryption key type.

  6. If using SSE-KMS, choose a key, enter a key ARN, or select to create a new key.

  7. Click Save changes.

References

https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html