S3 Buckets Encrypted with Customer-Provided CMKs

Risk Level: Medium (should be achieved)

Rule ID: S3-025

Ensure that your Amazon S3 buckets are configured to use Server-Side Encryption with customer-provided Customer Master Keys (CMKs) instead of S3-Managed Keys (SSE-S3) in order to have a fine-grained control over Amazon S3 data-at-rest encryption and decryption process. Once the Server-Side Encryption is configured to use customer-provided keys by default, Amazon S3 will automatically encrypt any new objects with the specified Customer Master Key (CMK).

This rule can help you with the following compliance standards:

GDPR
APRA
NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using Server-Side Encryption with customer-provided Customer Master Keys (CMKs) allows you to set your own encryption keys and have full control over who can use these keys to access your Amazon S3 data. AWS Key Management Service (KMS) allows you to easily create, rotate, disable, and audit Customer Master Keys (CMKs) for Amazon S3.

Audit

To determine the encryption status and configuration for your Amazon S3 buckets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 Within Default encryption section, check the Server-side encryption attribute value to determine Server-Side Encryption (SSE) configuration available for the selected S3 bucket:

If the Server-side encryption attribute is not listed, the Server-Side Encryption (SSE) feature is not enabled by default for the selected Amazon S3 bucket. Follow the instructions outlined in this conformity rule to enable SSE for the selected S3 bucket.
If the Server-side encryption value is set to Amazon S3 master-key (SSE-S3), the S3 bucket is configured to use Server-Side Encryption with an Amazon S3 Master Key (SS3-S3), therefore the SSE configuration for the selected S3 bucket is not compliant. An SS3-S3 key is an encryption key that Amazon S3 creates, manages, and uses for you.
If Server-side encryptionis set to AWS-KMS master-key (SSE-KMS), but the KMS master key ARN of the configured CMK is arn:aws:kms:us-east-1:<aws-account-id>:alias/aws/s3(i.e. the default key managed by the KMS service for Amazon S3), the Server-Side Encryption (SSE) configuration for the selected S3 bucket is not compliant.

06 Repeat steps no. 3 – 5 to determine the encryption status and configuration for other Amazon S3 buckets available within your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
	"cc-project5-analytics",
	"cc-project5-app-logs"
]

03 Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier and custom query filters to return the Server-Side Encryption (SSE) configuration used by the selected S3 bucket:

aws s3api get-bucket-encryption
  --bucket cc-project5-analytics
  --query 'ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault'

04 The command output should return one of the following results:

If the get-bucket-encryption command output returns the ServerSideEncryptionConfigurationNotFoundError error message, as shown in the example below, the Server-Side Encryption (SSE) is not enabled by default for the selected Amazon S3 bucket. Follow the instructions outlined in this conformity rule to enable SSE for the selected S3 bucket:
```
An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found.
```
If the command output returns "SSEAlgorithm": "AES256", as shown in the example below, the S3 bucket is configured to use Server-Side Encryption with an Amazon S3 Master Key (SS3-S3), therefore the SSE configuration for the selected S3 bucket is not compliant. An SS3-S3 key is an encryption key that Amazon S3 creates, manages, and uses for you:
```
[
	{
		"SSEAlgorithm": "AES256"
	}
]
```
If the get-bucket-encryption command output returns "aws:kms" as value for the "SSEAlgorithm" attribute, check the Amazon Resource Name (ARN) referenced by the "KMSMasterKeyID" attribute. If the key ARN is "arn:aws:kms:us-east-1:<aws-account-id>:alias/aws/s3", where <aws-account-id> is the ID of your AWS account, the Server-Side Encryption (SSE) configuration for the selected S3 bucket is not compliant:
```
[
	{
		"SSEAlgorithm": "aws:kms",
		"KMSMasterKeyID": "arn:aws:kms:us-east-1:<aws-account-id>:alias/aws/s3"
	}
]
```

05 Repeat steps no. 3 and 4 to determine the encryption status and configuration for other Amazon S3 buckets available in your AWS account.

Remediation / Resolution

To configure your Amazon S3 buckets to encrypt bucket data using customer-provided Customer Master Keys (CMKs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Server-Side Encryption With Customer Master Keys",
	"Resources": {
		"EncryptedS3Bucket": {
			"Properties": {
				"BucketName": "cc-project5-analytics",
				"BucketEncryption": {
					"ServerSideEncryptionConfiguration": [
						{
							"ServerSideEncryptionByDefault": {
								"SSEAlgorithm": "aws:kms",
								"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
							}
						}
					]
				}
			},
			"Type": "AWS::S3::Bucket"
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Server-Side Encryption With Customer Master Keys
	Resources:
		EncryptedS3Bucket:
		Properties:
			BucketName: cc-project5-analytics
			BucketEncryption:
			ServerSideEncryptionConfiguration:
			- ServerSideEncryptionByDefault:
				SSEAlgorithm: aws:kms
				KMSMasterKeyID: arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
		Type: AWS::S3::Bucket

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_kms_key" "kms-cmk" {
	description = "Customer-Provided KMS Customer Master Key"
	key_usage   = "ENCRYPT_DECRYPT"
	is_enabled  = true
}

resource "aws_s3_bucket" "encrypted-bucket" {
	bucket = "cc-project5-analytics"

	server_side_encryption_configuration {
		rule {
			apply_server_side_encryption_by_default {
				kms_master_key_id = aws_kms_key.kms-cmk.arn
				sse_algorithm     = "aws:kms"
			}
		}
	}

}

Case A: To configure encryption with existing customer-provided Customer Master Keys (CMKs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Default encryption section, choose Edit to modify the Server-Side Encryption (SSE) feature configuration.

06 Within Default encryption section, perform the following actions:

Select AWS Key Management Service key (SSE-KMS) to encrypt your S3 objects using an encryption key protected by AWS Key Management Service (SSE-KMS). Select Choose from your KMS master keys under AWS KMS key and choose your own Customer Master Key (CMK) from the KMS master key dropdown list.
(Optional) Select Enable under Bucket Key to configure the S3 bucket to use an Amazon S3 bucket key for Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS).
Choose Save changes to apply the configuration changes.

07 Repeat steps no. 3 – 6 to configure Server-Side Encryption with customer-provided Customer Master Keys for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Define the configuration parameters required for the put-bucket-encryption command. Save the following parameters to a JSON file named sse-kms-config.json (replace the highlighted key ARN with your own CMK ARN):

{
	"Rules": [
		{
			"ApplyServerSideEncryptionByDefault": {
				"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
				"SSEAlgorithm": "aws:kms"
			}
		}
	]
}

02 Run put-bucket-encryption command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier and the configuration parameters defined at the previous step (i.e. sse-kms-config.json), to enable Server-Side Encryption with Customer Master Keys (CMKs) for the selected S3 bucket (the command does not produce an output):

aws s3api put-bucket-encryption
  --bucket cc-project5-analytics
  --server-side-encryption-configuration file://sse-kms-config.json

03 Repeat step no. 1 and 2 to configure Server-Side Encryption with customer-provided Customer Master Keys for other Amazon S3 buckets available within your AWS account.

Case B: To configure encryption with a new customer-provided Customer Master Key (CMK), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 To create your own customer-provided Customer Master Key (CMK), navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the left navigation panel, click Customer managed keys.

04 Select the appropriate AWS region from the navigation bar (must match the region of your non-compliant S3 bucket).

05 Click Create Key button from the dashboard top menu to initiate the setup process.

06 For Step 1 Configure key, choose Symmetric from the Key type section, and select KMS for the Key material origin, available under Advanced options. Click Next to continue.

07 For Step 2 Add labels, provide a unique name (alias) and a short description for your new CMK, then use the Add tag button to create any required tag sets (optional). Click Nextto continue the setup process.

08 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS console. Click Nextto continue.

09 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key (CMK) for cryptographic operations. (Optional) In the Other AWS accounts section, click Add another AWS account and enter an external account ID in order to specify another AWS account that can use this KMS CMK to encrypt and decrypt your Amazon S3 data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Click Next to continue the process.

10 For Step 5 Review and edit key policy, review the key policy, then click Finish to create your new KMS Customer Master Key (CMK). Once the key is successfully created, the KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

11 Once your new Customer Master Key (CMK) has been created, navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

12 Click on the name of the S3 bucket that you want to reconfigure.

13 Select the Properties tab from the console menu to access the bucket properties.

14 In the Default encryption section, choose Edit to modify the Server-Side Encryption (SSE) feature configuration.

15 Within Default encryption section, perform the following actions:

Select AWS Key Management Service key (SSE-KMS) to encrypt your S3 objects using an encryption key protected by AWS Key Management Service (SSE-KMS). Select Choose from your KMS master keys under AWS KMS key and choose the newly created Customer Master Key (CMK) from the KMS master key dropdown list. You can also choose to enter the CMK ARN in the Enter KMS master key ARN box.
(Optional) Select Enable under Bucket Key to configure the S3 bucket to use an Amazon S3 bucket key for Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS).
Choose Save changes to apply the changes.

16 Repeat steps no. 12 – 15 to configure Server-Side Encryption with customer-provided Customer Master Keys for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your Amazon S3 data using the KMS API. Create a new policy document (JSON format), name the file s3-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
	"Id": "s3-cmk-policy",
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Enable IAM User Permissions",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:root"
			},
			"Action": "kms:*",
			"Resource": "*"
		},
		{
			"Sid": "Allow access for Key Administrators",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Create*",
				"kms:Describe*",
				"kms:Enable*",
				"kms:List*",
				"kms:Put*",
				"kms:Update*",
				"kms:Revoke*",
				"kms:Disable*",
				"kms:Get*",
				"kms:Delete*",
				"kms:TagResource",
				"kms:UntagResource",
				"kms:ScheduleKeyDeletion",
				"kms:CancelKeyDeletion"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow use of the key",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:ReEncrypt*",
				"kms:GenerateDataKey*",
				"kms:DescribeKey"
			],
			"Resource": "*"
		},
		{
			"Sid": "Allow attachment of persistent resources",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
			},
			"Action": [
				"kms:CreateGrant",
				"kms:ListGrants",
				"kms:RevokeGrant"
			],
			"Resource": "*",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": "true"
				}
			}
		}
	]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. s3-cmk-policy.json) as value for the --policy parameter, to create your new customer-provided Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'KMS CMK for encrypting Amazon S3 data'
  --policy file://s3-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/S3DataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

05 Define the configuration parameters required for the put-bucket-encryption command. Save the following parameters to a JSON file named sse-kms-config.json (replace the highlighted ARN with the ARN of the newly created Customer Master Key):

{
	"Rules": [
		{
			"ApplyServerSideEncryptionByDefault": {
				"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
				"SSEAlgorithm": "aws:kms"
			}
		}
	]
}

06 Run put-bucket-encryption command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier and the configuration parameters defined at the previous step (i.e. sse-kms-config.json), to enable Server-Side Encryption with Customer Master Keys (CMKs) for the selected S3 bucket (the command does not produce an output):

aws s3api put-bucket-encryption
  --bucket cc-project5-analytics
  --server-side-encryption-configuration file://sse-kms-config.json

07 Repeat step no. 5 and 6 to configure Server-Side Encryption with customer-provided Customer Master Keys for other Amazon S3 buckets available within your AWS account.

References

AWS Command Line Interface (CLI) Documentation
s3api
list-buckets
get-bucket-encryption
put-bucket-encryption
kms
create-key
create-alias

CloudFormation Documentation
AWS::S3::Bucket

Terraform Documentation
AWS Provider

Publication date Feb 13, 2019

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related S3 rules