Ensure that your Amazon S3 buckets are configured to use Server-Side Encryption with customer-provided Customer Master Keys (CMKs) instead of S3-Managed Keys (SSE-S3) in order to have a fine-grained control over Amazon S3 data-at-rest encryption and decryption process. Once the Server-Side Encryption is configured to use customer-provided keys by default, Amazon S3 will automatically encrypt any new objects with the specified Customer Master Key (CMK).
This rule can help you with the following compliance standards:
- GDPR
- APRA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using Server-Side Encryption with customer-provided Customer Master Keys (CMKs) allows you to set your own encryption keys and have full control over who can use these keys to access your Amazon S3 data. AWS Key Management Service (KMS) allows you to easily create, rotate, disable, and audit Customer Master Keys (CMKs) for Amazon S3.
Audit
To determine the encryption status and configuration for your Amazon S3 buckets, perform the following actions:
Remediation / Resolution
To configure your Amazon S3 buckets to encrypt bucket data using customer-provided Customer Master Keys (CMKs), perform the following operations:
Case A: To configure encryption with existing customer-provided Customer Master Keys (CMKs), perform the following actions:
Case B: To configure encryption with a new customer-provided Customer Master Key (CMK), perform the following actions:
References
- AWS Documentation
- Amazon S3 Frequently Asked Questions
- Data protection in Amazon S3
- Protecting Data Using Encryption
- Protecting Data Using Server-Side Encryption
- Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C)
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-encryption
- put-bucket-encryption
- kms
- create-key
- create-alias
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
S3 Buckets Encrypted with Customer-Provided CMKs
Risk Level: Medium