Ensure S3 buckets are encrypted with KMS by default

ID

s3_encrypted_cmk

Severity

low

Vendor

AWS

Resource

S3

Tags

reachable

Description

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

When you use server-side encryption with AWS KMS (SSE-KMS), you can use the default AWS managed key, or you can specify a customer managed key that you have already created. AWS KMS uses envelope encryption to further protect your data.

Specifying a customer managed key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Learn more about this topic at Using server-side encryption with AWS Key Management Service (SSE-KMS).

Examples

CloudFormation

{
  "Resources": {
    "EncryptedS3Bucket": { (1)
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
        },
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms"
              }
            }
          ]
        }
      },
      "DeletionPolicy": "Delete"
    }
  }
}
1 KMSMasterKeyID not set means default KMS Keys are used to perform encryption. 
Resources:
  EncryptedS3Bucket: (1)
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
    DeletionPolicy: Delete
1 KMSMasterKeyID not set means default KMS Keys are used to perform encryption.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "EncryptedS3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
        },
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "KMS-KEY-ARN" (1)
              }
            }
          ]
        }
      },
      "DeletionPolicy": "Delete"
    }
  }
}
1 KMSMasterKeyID set means customer KMS Keys are used to perform encryption. 
Resources:
    EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN (1)
    DeletionPolicy: Delete
1 KMSMasterKeyID set means customer KMS Keys are used to perform encryption.