logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Non-encrypted confidential information - S3 Server Side Encryption - Cloudformation

Need

Enforcement of Server-Side Encryption for all S3 buckets

Context

  1. Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  2. Ensuring data security in Amazon S3 buckets

Description

Insecure Code Example

Resources:
  InsecureS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-bucket
      AccessControl: Private
      Tags:
        - Key: Name
          Value: MyBucket
        - Key: Environment
          Value: Dev

In this CloudFormation template, an S3 bucket is created with the `AccessControl` set to `Private`, restricting public access. However, there is no configuration for `BucketEncryption`, meaning that Server-Side Encryption (SSE) is not enabled. Without SSE, data stored in the S3 bucket remains unencrypted at rest, making it vulnerable to unauthorized access and data breaches. If an attacker gains access to the S3 bucket, they could retrieve unencrypted data. To mitigate this risk, Server-Side Encryption should be enabled by adding the `BucketEncryption` property and specifying the `SSEAlgorithm` as `"AES256"` or `"aws:kms"`.

Steps

  1. Modify the CloudFormation template to include the `BucketEncryption` property.
  2. Set the `ServerSideEncryptionByDefault` block to specify an encryption method.
  3. Choose the appropriate server-side encryption method, such as SSE-S3 (`AES256`) or SSE-KMS (`aws:kms`), based on security requirements.
  4. Deploy the updated CloudFormation template to enforce encryption for all objects stored in the S3 bucket.

Secure Code Example

Resources:
  SecureS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-bucket
      AccessControl: Private
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      Tags:
        - Key: Name
          Value: MyBucket
        - Key: Environment
          Value: Dev

This revised CloudFormation template includes the `BucketEncryption` property to enforce Server-Side Encryption (SSE). The `ServerSideEncryptionConfiguration` block defines a rule that applies encryption by default using the `AES256` algorithm. This ensures that all objects stored in the bucket are encrypted at rest. The `Tags` property remains unchanged, as it is used to assign metadata to the S3 bucket. Applying this updated configuration will enforce encryption for all new objects stored in the bucket, enhancing data security and compliance.

References

  • 099 - Non-encrypted confidential information - S3 Server Side Encryption

    • Last updated

    2025/04/03