Unencrypted S3 bucket can lead to data leak

• GG_ID: GG_IAC_0008
• Severity: HIGH
• Complexity: LOW
• Categories: PERMISSION
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

AWS S3 buckets should be encrypted to protect the data if accesses are compromised.

There are two types of server-side encryption for Amazon S3 buckets:

• Server-Side Encryption with Amazon S3-managed keys (SSE-S3)
• Server-Side Encryption with AWS Key Management Service keys (SSE-KMS)

There are no additional charges with SSE-S3. For SSE-KMS, AWS KMS charges apply. However, KMS are considered more secure since they provide more control to the customer and allow keys rotation.

Impact

Misconfigured permissions or direct access to storage drives can lead to data leak.

Remediation guidelines

Enable the encryption by default of the bucket

External documentation

• Protecting data using server-side encryption
• Setting default server-side encryption behavior for Amazon S3 buckets