Link Search Menu Expand Document

[S3.4]

S3 buckets should have server-side encryption enabled

Description

All S3 buckets must have server-side encryption enabled. Amazon S3 encrypts each object with a unique key and then encrypts the key itself which boosts the security of your sensitive data. This rule is COMPLIANT if your S3 buckets are configured to use server side encryption.

Details

Property Value
Category Protect > Data protection > Encryption of data at rest
Compliance Control ID S3.4
FortifyFox ID FF100049
Link S3.4 Compliance
Resource Type(s) AWS::S3::Bucket
Severity Medium
Parameters SSEAlgorithm
Value String (“AES256” or “aws:kms”) )

Remediation

Use the following CloudFormation templates to deploy an S3 bucket compliant with S3.4

YAML Template

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration: 
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

JSON Template

{
  "Resources": {
    "dmsInstance": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": {
            "ServerSideEncryptionByDefault": {
              "SSEAlgorithm": "AES256"
            }
          }
        }
      }
    }
  }
}