Skip to main content

lacework-global-217

Ensure the S3 bucket has default server-side encryption enabled

Description

With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket to encrypt all new objects stored in the bucket. The encryption is server-side encryption with either Amazon S3 managed keys (SSE-S3) or AWS Key Management Service (KMS) keys stored in KMS (SSE-KMS).

Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.

Remediation

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Buckets list, select the bucket.

  3. Click Properties.

  4. Under Default encryption, click edit.

  5. Select an encryption key type.

  6. If using SSE-KMS, choose a key, enter a key Amazon Resource Name (ARN), or select to create a new key.

  7. Click Save changes.

References

https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

Last updated on