Another day, another S3 breach headline. It’s 2024, and unencrypted S3 buckets are still a recurring nightmare for organizations. This isn’t rocket science, people.
Even if your S3 bucket is ‘private’, an attacker with even basic AWS access can dump its contents if there’s no encryption at rest. That’s why server-side encryption isn’t optional; it’s foundational. It adds that critical key-access layer, making data exfiltration significantly harder.
You need to enforce default encryption for all S3 buckets. This means either SSE-S3 or SSE-KMS, always. Don’t leave it to individual teams to remember. Set it and forget it, correctly.
In the AWS console, navigate to S3, select a bucket, go to ‘Properties’, and then ‘Default encryption’. Choose ‘Server-side encryption with Amazon S3 managed keys (SSE-S3)’ or ‘AWS Key Management Service key (SSE-KMS)’ and save. Do this for every bucket, and mandate it for new ones.
Don’t be the next headline. Just do this.
The fix
# Check all buckets for encryption\nfor bucket in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do\n enc=$(aws s3api get-bucket-encryption --bucket \"$bucket\" 2>&1)\n \
Reference: CIS AWS Foundations Benchmark 2.1.1