Ensure S3 bucket has no server-side encryption being enabled by another account

Other Security Rules

Description

S3 bucket policies allow uploaded files to be encrypted with AES256 or a specific AWS KMS key. In the case when a specified KMS Key belongs to a different account, it can lead to a high risk of data encryption without the ability to decrypt it.

Clear cross-account KMS Key on S3 via the AWS Management Console

Step 1. Log in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.

Step 2. In the "Buckets" list, choose a bucket name.

Step 3. Click on Properties.

Step 4. Under "Default encryption,"" click on Edit.

Step 5. Remove the cross-account KMS Key and specify the account-related KMS Key for data encryption

Step 6. Consider the rule aws_058 aws_s3_prevent_default_kms_key_override.yaml remediation to prevent such violations in the future.


What’s Next