Ensure data stored in the S3 bucket is securely encrypted at rest

Error: Data stored in the S3 bucket is not securely encrypted at rest

Bridgecrew Policy ID: BC_AWS_S3_14
Checkov Check ID: CKV_AWS_19
Severity: LOW

Data stored in the S3 bucket is not securely encrypted at rest


SSE helps prevent unauthorized access to S3 buckets. Encrypting and decrypting data at the S3 bucket level is transparent to users when accessing data.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Select the name of the bucket that you want from the Bucket name list.
  4. Select Properties.
  5. Select Default encryption.
  6. To use keys that are managed by Amazon S3 for default encryption, select AES-256, then select Save.
  7. If you want to use CMKs that are stored in AWS KMS for default encryption, follow these steps:
    1. Select AWS-KMS.
    2. Select a customer-managed AWS KMS CMK that you have created, using one of these methods:
      a) In the list that appears, select the AWS KMS CMK.
      b) In the list that appears, select Custom KMS ARN, and then enter the Amazon Resource Name of the AWS KMS CMK.
    3. Click Save.

The steps above will encrypt all new files going forward. To encrypt all existing files, follow the steps below. Note that this will appear as an object modification, which will be logged if access logging is configured, and will count as a bucket write operation for billing purposes. Be mindful of applying these steps on large buckets.

  1. Navigate to the bucket Overview tab.
  2. Select objects to encrypt.
  3. From the Actions dropdown, select Change encryption.
  4. Select the desired encryption method, then click Save.
  5. The progress bar for the background job displays at the bottom of the screen.

CLI Command

To set encryption at the bucket level for all new objects, use the following command:

aws s3api put-bucket-encryption 
--bucket awsexamplebucket 
'{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

The command above will not encrypt existing objects. To do so, you must re-add each file with encryption. You can copy a single object back to itself encrypted with SSE-S3 (server-side encryption with Amazon S3-managed keys), using the following S3 Encrypt command:

aws s3 cp s3://awsexamplebucket/myfile s3://awsexamplebucket/myfile --sse AES256

Fix - Buildtime


  • Resource: aws_s3_bucket, aws_s3_bucket_server_side_encryption_configuration
+ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+   bucket = aws_s3_bucket.example.bucket
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "AES256"
+     }
+   }
+ }


  • Resource: AWS::S3::Bucket
  • Argument: Properites.BucketEncryption
Type: AWS::S3::Bucket
+		BucketEncryption:
+			ServerSideEncryptionConfiguration:
+				- ServerSideEncryptionByDefault:
+					SSEAlgorithm: AES256