AWS S3 is Not Encrypted

Description:

Amazon Simple Storage Service (S3) allows users to encrypt data stored in buckets using Server-Side Encryption (SSE) methods. When data in an S3 bucket is not encrypted, it may be susceptible to unauthorized access or breaches. It is crucial to ensure that your S3 data is protected by enabling encryption.


Remediation:

1. Enable Server-Side Encryption for S3:

AWS Management Console:
  • Navigate to the S3 service.
  • Select the desired bucket.
  • Go to Properties > Default encryption.
  • Choose either AES-256 or AWS-KMS and then click on Save.
AWS CLI:
aws s3api put-bucket-encryption --bucket <YOUR-BUCKET-NAME> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
Terraform:
resource "aws_s3_bucket" "bucket" {
  bucket = "<YOUR-BUCKET-NAME>"
  acl    = "private"

  # ... other configurations ...

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

Replace <YOUR-BUCKET-NAME> with the desired name of your S3 bucket.


Ensure that you enable server-side encryption on all S3 buckets to protect the stored data from unauthorized access or breaches.