MEDIUM

Ensure S3 bucket uses KMS for encryption

While SSE-S3 provides encryption, SSE-KMS with customer managed keys provides additional access controls through key policies and usage auditing in CloudTrail.

Security Impact

SSE-S3 (AES-256) lacks key access auditing, fine-grained access control via key policies, and separation of duties.

How to Remediate

Configure default bucket encryption to use SSE-KMS with a customer managed key. Update bucket policy to require KMS encryption.

Affected Resources

AWS::S3::BucketAWS::KMS::Key

Compliance Frameworks

SOC 2PCI-DSSHIPAAFedRAMP

How TigerGate Helps

TigerGate continuously monitors your AWS environment to detect and alert on this misconfiguration. Here's what our platform does for this specific check:

  • Continuous Scanning

    Automatically scans all Simple Storage Service (S3) resources across your AWS accounts every hour

  • Instant Alerts

    Get notified via Slack, email, or webhooks when this misconfiguration is detected

  • One-Click Remediation

    Fix this issue directly from the TigerGate dashboard with our guided remediation

  • Compliance Evidence

    Automatically collect audit evidence for SOC 2, PCI-DSS, HIPAA compliance

  • Drift Detection

    Get alerted if this configuration drifts back to an insecure state after remediation

Check Details

Check ID
aws-s3-11
Service
Simple Storage Service (S3)
Category
Encryption
Severity
MEDIUM

Automate This Check

TigerGate automatically scans your AWS environment for this and 575+ other security checks.

Start Free Trial

Related Simple Storage Service (S3) Checks

View all checks
aws-s3-1critical

Ensure S3 bucket has block public access enabled

aws-s3-2critical

Ensure S3 bucket policy does not allow public read access

aws-s3-3critical

Ensure S3 bucket policy does not allow public write access

aws-s3-4medium

Ensure MFA Delete is enabled on S3 buckets

aws-s3-5high

Ensure S3 bucket has server-side encryption enabled