AWS Config Rule: S3 Bucket Server Side Encryption Enabled
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
Fernando Honig
Last Update hace 9 meses
Description: Checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption that uses AES-256 or AWS Key Management Service. The rule is NON_COMPLIANT if your Amazon S3 bucket is not encrypted by default.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region
How to Resolve Manually
Similar to the article on Default Encryption, this one is easy to resolve for your S3 Bucket - simply head to the Properties tab and ensure that the Default Encryption is enabled - this will ensure that your bucket is encrypted as it is currently using the AWS Managed S3 Key (SSE-S3)
How to Resolve with StackZone
By enabling the Remediation for this AWS Config Rule with StackZone, we will automatically run an SSM Document against all resources which are marked as NON_COMPLIANT by this rule.
The SSM Document will modify your AWS S3 Buckets to ensure Bucket Encryption is enabled. The encryption method targeted will be the Amazon S3-managed key (SSE-S3)
To enable this, head on over to Baseline Services -> Config Rules Regional -> S3 Bucket Server Side Encryption Remediation and enable the remediation.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
