Check provider logo

Check if S3 buckets have KMS encryption enabled.

s3_bucket_kms_encryption

Severitymedium
Services3
by Prowler
encryption

Check if S3 buckets have KMS encryption enabled.

Risk

Amazon S3 KMS encryption provides a way to set the encryption behavior for an S3 bucket using a managed key. This will ensure data-at-rest is encrypted.

Run this check with Prowler CLI

prowler aws --checks s3_bucket_kms_encryption

Run in Prowler Cloud

ARN template

arn:partition:s3:::bucket_name

Remediation

CLI

aws put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:<REGION>:<ACCOUNT_ID>:key/<KEY_ID>"}}]}'

Native IAC

https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/S3/encrypted-with-kms-customer-master-keys.html

Terraform

https://docs.prowler.com/checks/aws/general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default#terraform

Other

https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/S3/encrypted-with-kms-customer-master-keys.html

WUI

Ensure that S3 buckets have encryption at rest enabled using KMS.

References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

Source Code

References

Resource Type

AwsS3Bucket

Related URL