Ensure all S3 buckets employ encryption-at-rest

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.CFT.CRY.01
Covered by Spectral: Yes
Category: Storage


AWS_S3_Bucket should have BucketEncryption


From CFT
Set AWS::S3::Bucket BucketEncryption property


  1. https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
  2. https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CloudFormation ruleset