Skip to main content

Unencrypted S3 bucket can lead to data leak

  • GG_ID: GG_IAC_0008
  • Severity: HIGH
  • Complexity: LOW
  • Categories: PERMISSION
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: False


AWS S3 buckets should be encrypted to protect the data if accesses are compromised.

There are two types of server-side encryption for Amazon S3 buckets:

  • Server-Side Encryption with Amazon S3-managed keys (SSE-S3)
  • Server-Side Encryption with AWS Key Management Service keys (SSE-KMS)

There are no additional charges with SSE-S3. For SSE-KMS, AWS KMS charges apply. However, KMS are considered more secure since they provide more control to the customer and allow keys rotation.


Misconfigured permissions or direct access to storage drives can lead to data leak.

Remediation guidelines#

Enable the encryption by default of the bucket

External documentation#