S3 encryption should use Customer Managed Keys Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable encryption using customer managed keys
1
2
3
4
5
6
7
8
9
10
Resources :
GoodExample :
Type : AWS::S3::Bucket
Properties :
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : true
ServerSideEncryptionByDefault :
KMSMasterKeyID : kms-arn
SSEAlgorithm : aws:kms
Enable encryption using customer managed keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
resource "aws_kms_key" "good_example" {
enable_key_rotation = true
}
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . example . arn
sse_algorithm = "aws:kms"
}
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
acl = "log-delivery-write"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
Links