Unencrypted S3 bucket.
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
Impact
The bucket objects could be read if compromised
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
- Install awscli
- Configure
awscli
- To enable bucket encryption on an S3 bucket called `unencrypted-bucket, run the following aws cli command
1
|
aws s3api put-bucket-encryption --bucket unencrypted-bucket --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
|
Configure bucket encryption
1
2
3
4
5
6
7
8
9
10
|
Resources:
GoodExample:
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
KMSMasterKeyID: kms-arn
SSEAlgorithm: aws:kms
Type: AWS::S3::Bucket
|
Configure bucket encryption
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
resource "aws_kms_key" "good_example" {
enable_key_rotation = true
}
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.example.arn
sse_algorithm = "aws:kms"
}
}
}
}
|
Links