Amazon S3 buckets use server-side encryption with AWS KMS keys, including dual-layer aws:kms:dsse. The evaluation identifies buckets whose default encryption is aws:kms or aws:kms:dsse rather than SSE-S3.
Risk
Without KMS-based encryption, data relies only on SSE-S3, reducing confidentiality controls. Missing key policies and grants weakens least privilege, cross-account scoping, and the ability to disable or rotate keys. Lack of KMS audit trails obscures key usage, hindering detection of misuse and defense in depth.
prowler aws --checks s3_bucket_kms_encryption
Recommendation
Enable default SSE-KMS (or DSSE-KMS for highly sensitive data). Use a customer-managed key, enforce least privilege and separation of duties for key usage, and require KMS encryption via bucket policy (specify aws:kms and a designated key). Monitor key activity in CloudTrail and consider S3 Bucket Keys to control cost.
Remediation
aws s3api put-bucket-encryption --bucket <BUCKET_NAME> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}'
- In the AWS Console, go to S3 and open the target bucket
- Select the Properties tab
- Under Default encryption, click Edit
- Choose Server-side encryption with AWS KMS keys (SSE-KMS)
- Leave AWS managed key (aws/s3) selected (or choose your CMK if required)
- Click Save changes
Source Code
Resource Type
AwsS3Bucket
References
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement-staging/knowledge-base/aws/S3/encrypted-with-kms-customer-master-keys.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html