Skip to main content

Triage S3 Buckets should use encryption DEFAULT_ENCRYPTION_DISABLED

  1. Configure S3 Buckets should use encryption
  2. Use Case for S3 Buckets should use encryption
  3. Triage Guides by Violation Type
    1. Triage S3 Buckets should use encryption DEFAULT_ENCRYPTION_DISABLED

DEFAULT_ENCRYPTION_DISABLED

Understand

Why should I care about fixing this issue? Default encryption ensures that all data stored in the bucket is encrypted at rest, protecting it from unauthorized access and complying with security best practices.

Validate

How am I sure that this alert is true and accurate? The alert is based on the absence of a server-side encryption rule for the bucket. Verify manually by checking the encryption settings in the AWS S3 console or using the AWS CLI.

What is the data source for this policy? The policy uses the AWS S3 API to retrieve encryption settings.

How do I retrieve it manually? Use the AWS S3 console or the following AWS CLI command:

aws s3api get-bucket-encryption --bucket <bucket-name>

Does this policy scan on a schedule or is it Reactive? If so, when? This policy is reactive and triggers based on configuration changes.

Triage

What is the impact if it is unfixed? Unencrypted data is vulnerable to unauthorized access and potential data breaches.

Does this problem get worse over time if it is unaddressed? The risk remains constant but significant, as data remains unprotected.

Can remediation cause outages or downtime to any other running service? Enabling encryption should not cause downtime but may impact performance during initial encryption.

Act

What do I do to fix this alarm? Enable default encryption for the S3 bucket using the AWS S3 console or the AWS CLI: