Skip to main content

Non-encrypted confidential information - S3 Server Side Encryption

Description

Some S3 buckets do not explicitly enable the Server-Side-Encryption (SSE) property. So the stored objects are not encrypted at rest, exposing their content to leaks by attackers or unauthorized users.

Impact

Compromise sensitive data stored in the bucket in plaintext.

Recommendation

Enable the SSE property in all S3 instances.

Threat

Authenticated attacker from Internet with access to the bucket.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 6.5
    • Temporal: 5.9
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Sensitive data is stored in resources with properly defined encryption

Resources:
EncryptedS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: SKIMS-ENCRYPTED-EXAMPLE-BUCKET
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: KMS-KEY-ARN
DeletionPolicy: Delete
resource "aws_s3_bucket" "encrypted_bucket_1" {
bucket = "my_encrypted_bucket_1"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.bucket_encryption_key.arn
sse_algorithm = "aws:kms"
}
}
}
}

Non compliant code

There are unencrypted resources that store sensitive data

Resources:
UnencryptedS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: SKIMS-EXAMPLE-BUCKET
BucketPolicy1:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: DOC-EXAMPLE-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
- ''
- - 'arn:aws:s3:::'
- DOC-EXAMPLE-BUCKET
- /*
Principal: '*'
Condition:
"Null":
's3:x-amz-server-side-encryption': false

Using the AWS CLI, the following command checks the bucket encryption configuration

$ aws s3api get-bucket-encryption
--bucket {my_bucket_name}

If the command returns the error message "ServerSideEncryptionConfigurationNotFoundError", the default encryption is not enabled and the resource has an insecure configuration

Requirements