099 – Non-encrypted confidential information - S3 Server Side Encryption

Description

Some S3 buckets do not explicitly enable the Server-Side-Encryption (SSE) property. So the stored objects are not encrypted at rest, exposing their content to leaks by attackers or unauthorized users.

Impact

Compromise sensitive data stored in the bucket in plaintext.

Recommendation

Enable the SSE property in all S3 instances.

Threat

Authenticated attacker from Internet with access to the bucket.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 134 - Store passwords with salt
• 135 - Passwords with random salt
• 185 - Encrypt sensitive information
• 227 - Display access notification
• 229 - Request access credentials
• 264 - Request authentication
• 300 - Mask sensitive data

Fixes

• Aws
• Cloudformation

Last updated

2024/02/12