Non-encrypted confidential information - S3 Server Side Encryption
Description
Some S3 buckets do not explicitly enable the Server-Side-Encryption (SSE) property. So the stored objects are not encrypted at rest, exposing their content to leaks by attackers or unauthorized users.
Impact
Compromise sensitive data stored in the bucket in plaintext.
Recommendation
Enable the SSE property in all S3 instances.
Threat
Authenticated attacker from Internet with access to the bucket.
Expected Remediation Time
⏱️ 15 minutes.
Requirements
134 - Store passwords with salt135 - Passwords with random salt185 - Encrypt sensitive information227 - Display access notification229 - Request access credentials264 - Request authentication300 - Mask sensitive dataFixes
Score
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
N
Attack complexity
L
Attack requirements
N
Privileges required
L
User interaction
N
Confidentiality (VC)
H
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
P
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P