S3 encryption should use Customer Managed Keys Encryption using AWS keys provides protection for your S3 buckets. To gain greater control over encryption, such as key rotation, access policies, and auditability, use customer managed keys (CMKs) with SSE-KMS.
Note that SSE-KMS is not supported for S3 server access logging destination buckets; in such cases, use SSE-S3 instead.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Use SSE-KMS with a customer managed key (CMK)
1
2
3
4
5
6
7
8
9
10
Resources :
GoodExample :
Type : AWS::S3::Bucket
Properties :
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : true
ServerSideEncryptionByDefault :
KMSMasterKeyID : kms-arn
SSEAlgorithm : aws:kms
Use SSE-KMS with a customer managed key (CMK)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
resource "aws_kms_key" "mykey" {}
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket . good_example . id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . mykey . arn
sse_algorithm = "aws:kms"
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
resource "aws_s3_bucket" "good_example" {
# server access logging bucket
acl = "log-delivery-write"
bucket = "mybucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket . good_example . id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
resource "aws_kms_key" "good_example" {
enable_key_rotation = true
}
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
# deprecated way
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . example . arn
sse_algorithm = "aws:kms"
}
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
resource "aws_s3_bucket" "good_example" {
bucket = "log-bucket"
}
resource "aws_s3_bucket_acl" "log_acl" {
bucket = aws_s3_bucket . good_example . id
access_control_policy {
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
permission = "WRITE"
}
owner {
id = data . aws_canonical_user_id . current . id
}
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "sse_config" {
bucket = aws_s3_bucket . good_example . id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
resource "aws_s3_bucket" "good_example" {
bucket = "log-policy-bucket"
}
resource "aws_s3_bucket_policy" "log_policy" {
bucket = aws_s3_bucket . good_example . id
policy = jsonencode ( {
Version = "2012-10-17"
Statement = [ {
Effect = "Allow"
Principal = {
Service = "logging.s3.amazonaws.com"
}
Action = "s3:PutObject"
Resource = "arn:aws:s3:::log-policy-bucket/logs/*"
}]
})
}
resource "aws_s3_bucket_server_side_encryption_configuration" "sse_config" {
bucket = aws_s3_bucket . good_example . id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
Links