AWS S3 Encryption does not use Customer Master Key (CMK)

Description:

Amazon S3 supports Server-Side Encryption (SSE) with AWS Key Management Service (KMS) which allows users to encrypt their S3 data with a specific Customer Master Key (CMK) managed in AWS KMS. Using a CMK grants more flexibility and control over the encryption and decryption of the stored data. If S3 encryption does not use a CMK, it may not be meeting organization-specific encryption requirements and key management standards.


Remediation:

1. Use Server-Side Encryption with KMS-managed keys for S3:

AWS Management Console:
  • Navigate to the S3 service.
  • Select the desired bucket.
  • Go to Properties > Default encryption.
  • Choose AWS-KMS.
  • In the KMS Master Key dropdown, select the specific CMK you want to use or create a new one.
  • Click Save.
AWS CLI:
aws s3api put-bucket-encryption --bucket <YOUR-BUCKET-NAME> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "<YOUR-KMS-KEY-ID>"}}]}'
Terraform:
resource "aws_s3_bucket" "bucket" {
  bucket = "<YOUR-BUCKET-NAME>"
  acl    = "private"

  # ... other configurations ...

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
        kms_master_key_id = aws_kms_key.my_kms_key.key_id
      }
    }
  }
}

resource "aws_kms_key" "my_kms_key" {
  description = "My KMS key for S3"
  policy      = <YOUR-KMS-POLICY>
}

Replace <YOUR-BUCKET-NAME> with the name of your S3 bucket and <YOUR-KMS-KEY-ID> with the ID of your desired KMS Customer Master Key. If using Terraform, also define your KMS key policy appropriately.


Always ensure your S3 data encryption aligns with organizational policies by leveraging the appropriate Customer Master Keys (CMK) managed in AWS KMS.