AWS-022 Amazon Web Services (AWS)

S3 default encryption is enabled on all buckets.

Domain: Amazon Web Services (AWS)
Area: Data Protection
Automated / manual: Automated

Risk if it fails

Unencrypted objects exposed if storage is reached.

If the underlying storage is ever accessed without authorization, encrypted data is useless to the thief while plaintext data is immediately readable.

How Tess tests it

1 test — each concludes only on cited evidence.

S3 default encryption is enabled on all buckets.

Automated

Procedure: Confirm default encryption configuration on each bucket.

Read-only command

for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do echo $b; aws s3api get-bucket-encryption --bucket $b 2>/dev/null; done

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-022 against your evidence?

Book a demo