Ensure S3 bucket deny overriding of default KMS Key encryption

Other Security Rules

Description

Attackers that have S3:PutObject permission can still override the default KMS Key encryption on updating object operation with their own provided KMS Key, thus leading to a ransomware violation.

To prevent this method of malicious access, the bucket owner should therefore define a policy to allow object modification using only the defined default KMS Key, which attackers are unlikely to have permissions to change or modify.

Enable S3 bucket policy control over the KMS Key via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.

Step 2. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.

Step 3. Click on Permissions.

Step 4. Under "Bucket policy,"" click on Edit.

Step 5. In the "Policy" text field, type or copy and paste a new bucket policy, or edit an existing policy.

The bucket policy is a JSON file. The text you type in the editor must be valid JSON.

Step 6. Add policy Condition statement where you define the KMS Key to be matched for Statement with s3:PutObject permission

Step 7. Condition example for Allow effect for: "Condition":{"StringEquals":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:REGION:ACCOUNT-ID:key/KEY-ID"}}}

References