S3 encryption should use Customer Managed Keys Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
Impact Using AWS managed keys does not allow for fine grained control
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable encryption using customer managed keys
1
2
3
4
5
6
7
8
9
10
11
Resources :
GoodExample :
Properties :
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : true
ServerSideEncryptionByDefault :
KMSMasterKeyID : kms-arn
SSEAlgorithm : aws:kms
Type : AWS::S3::Bucket
Enable encryption using customer managed keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
resource "aws_kms_key" "good_example" {
enable_key_rotation = true
}
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key . example . arn
sse_algorithm = "aws:kms"
}
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
acl = "log-delivery-write"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
Links