CloudWiki
Rules
Medium

Ensure data stored in the S3 bucket is securely encrypted at rest

Security & Compliance
CIS
SOC2
PCI-DSS
GDPR
APRA
MAS
NIST4
AWS Well-Architected Framework
HIPAA
CISAWSF
NIST 800-53
HITRUST
AWS Foundational Security Best Practices Controls
CSA CCM
Description

To have greater control over the encryption and decryption process of your Amazon S3 data-at-rest, make sure to use Server-Side Encryption with customer-provided Customer Master Keys (CMKs) instead of S3-Managed Keys (SSE-S3). This allows you to set your own encryption keys and restrict access to your data. AWS Key Management Service (KMS) provides an easy way to create, rotate, disable, and audit Customer Master Keys (CMKs) for Amazon S3. To enable Server-Side Encryption with customer-provided keys by default, ensure that your Amazon S3 buckets are configured to use this encryption method. This will automatically encrypt any new objects with the specified Customer Master Key (CMK). You can also specify an existing KMS CMK in the rule settings on the Trend Micro Cloud One™ – Conformity dashboard, which is useful if your organization has strict regulatory requirements regarding S3 Server-Side Encryption.

Remediation

To ensure that data stored in an Amazon S3 bucket is securely encrypted at rest, follow these remediation steps:

  1. Ensure that Server-Side Encryption (SSE) is enabled for your S3 bucket.
  2. Choose the Server-Side Encryption with Customer-Provided Keys (SSE-C) option.
  3. Use AWS Key Management Service (KMS) to create a Customer Master Key (CMK).
  4. Grant the appropriate IAM permissions to the KMS CMK.
  5. Configure your S3 bucket to use the KMS CMK for Server-Side Encryption.
  6. Set the default encryption option to use the KMS CMK.
  7. Optionally, specify an existing KMS CMK in the rule settings on your compliance dashboard.

By following these steps, you can ensure that all data stored in your S3 bucket is encrypted using the customer-provided CMK, giving you full control over who can access the data.

Enforced Resources
S3 Bucket
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.