Ensure that S3 Buckets are encrypted with CMK

Ensure that S3 Buckets have server-side encryption at rest enabled, and are using customer-managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.03
Covered by Spectral: Yes
Category: Storage


S3Bucket should have encryption.serverSideEncryptionRules contain [ getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('isCustomerManaged') and getResource('KMS', serverSideEncryptionByDefault.serverSideEncryptionKeyManagementServiceKeyId) getValue('enabled') ]


From Portal

  1. Go to 'S3'
  2. For each incompliant S3 Bucket:
  3. Go to the 'Properties' tab
  4. Under 'Default encryption', choose 'Edit'
  5. Make sure 'Server-side encryption' is set to 'Enable'
  6. Set 'Encryption key type' to 'AWS Key Management Service key'
  7. Configure your AWS KMS CMK key
  8. Save changes

From TF
To use kms key encryption for s3 bucket, use following configuration:

resource "aws_s3_bucket" "example_bucket" {
	server_side_encryption_configuration {
		rule {
			apply_server_side_encryption_by_default {
				kms_master_key_id = KMS_CMK_ARN
				sse_algorithm     = "aws:kms"

From Command Line
To enable kms key encryption for s3 bucket, run:

aws s3api aws s3api put-bucket-encryption --bucket BUCKET-NAME --server-side-encryption-configuration ENCRYPTION-CONFIGURATION


  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
  2. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-encryption.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS Dashboard System Ruleset
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Dashboards