Check if S3 buckets have KMS encryption enabled.
Risk
Amazon S3 KMS encryption provides a way to set the encryption behavior for an S3 bucket using a managed key. This will ensure data-at-rest is encrypted.
Run this check with Prowler CLI
prowler aws --checks s3_bucket_kms_encryption
ARN template
arn:partition:s3:::bucket_name
Recommendation
Ensure that S3 buckets have encryption at rest enabled using KMS.
Remediation
CLI
aws put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<KEY_ID>"}}]}'
Source Code
Resource Type
AwsS3Bucket