Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.65
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket should not have encryption.serverSideEncryptionRules isEmpty()

REMEDIATION

From Portal

Go to 'S3'
For each incompliant S3 Bucket:
Go to the 'Properties' tab
Under 'Default encryption', choose 'Edit'
Enable and set 'Server-side encryption' and set encryption
Save changes

From TF
To configure encryption for an S3 Bucket, set the 'aws_s3_bucket_server_side_encryption_configuration' block:

resource "aws_s3_bucket_server_side_encryption_configuration" "example_encryption_configuration" {
	bucket = S3-BUCKET-REFERENCE
	..
	rule {
		apply_server_side_encryption_by_default {
			...
		}
	}
	..
}

From Command Line
To configure encryption for an S3 Bucket, use:

aws s3api put-bucket-encryption --bucket BUCKET-NAME --server-side-encryption-configuration JSON-CONFIGURATION

References

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

AWS CCPA Framework
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard S3 Bucket Security
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS GDPR Readiness
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset