[S3.4]
S3 buckets should have server-side encryption enabled
Description
All S3 buckets must have server-side encryption enabled. Amazon S3 encrypts each object with a unique key and then encrypts the key itself which boosts the security of your sensitive data. This rule is COMPLIANT
if your S3 buckets are configured to use server side encryption.
Details
Property | Value |
---|---|
Category | Protect > Data protection > Encryption of data at rest |
Compliance Control ID | S3.4 |
FortifyFox ID | FF100049 |
Link | S3.4 Compliance |
Resource Type(s) | AWS::S3::Bucket |
Severity | Medium |
Parameters | SSEAlgorithm |
Value | String (“AES256” or “aws:kms”) ) |
Remediation
Use the following CloudFormation templates to deploy an S3 bucket compliant with S3.4
YAML Template
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
JSON Template
{
"Resources": {
"dmsInstance": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": {
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
}
}
}
}
}