LOW S3 · CIS 2.1.1

S3 bucket encryption

Check ID: aws-s3-002

AWS-S3-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets use SSE-KMS encryption instead of default SSE-S3. SSE-KMS provides key rotation, access auditing via CloudTrail, and granular access control.

Why it matters

While SSE-S3 provides basic AES-256 encryption, SSE-KMS adds critical security controls that compliance frameworks require. KMS encryption generates separate data keys per object, provides automatic annual key rotation, and logs every encryption/decryption operation in CloudTrail - giving you a complete audit trail of who accessed what data and when. KMS key policies allow granular access control, letting you restrict which IAM principals can decrypt specific data. For regulated industries (HIPAA, PCI-DSS, FedRAMP), KMS encryption with customer-managed keys is often mandatory. Enabling BucketKeyEnabled reduces KMS API costs by up to 99% by reusing data keys at the bucket level.

Common causes

Buckets default to SSE-S3 encryption because SSE-KMS requires a KMS key policy and grants additional IAM permissions for kms:Decrypt. Teams creating buckets through the console or simple Terraform modules often accept the default encryption without evaluating KMS benefits. Migration from SSE-S3 to SSE-KMS on existing buckets requires re-encrypting objects, which teams postpone indefinitely for large buckets.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-encryption --bucket BUCKET_NAME --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"},"BucketKeyEnabled":true}]}'

Remediation: Terraform

resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
  bucket = "bucket-name"
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

Compliance mapping

This check maps to CIS 2.1.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related S3 checks

HIGH aws-s3-001

Public S3 buckets

LOW aws-s3-003

S3 bucket versioning

LOW aws-s3-004

S3 bucket lifecycle policy

← All checks