Control: AWS > PCI v3.2.1 > S3 > 4 S3 buckets should have server-side encryption enabled

This control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server-side encryption.

When you set default encryption on a bucket, all new objects stored in the bucket are encrypted when they are stored, including clear text PAN data.

Server-side encryption for all of the objects stored in a bucket can also be enforced using a bucket policy.

Remediation

Open the Amazon S3 console.
Choose the bucket from the list.
Choose Properties.
Choose Default encryption.
For the encryption, choose either AES-256 or AWS-KMS.
1. To use keys that are managed by Amazon S3 for default encryption, choose AES-256. For more information about using Amazon S3 server-side encryption to encrypt your data,
2. To use keys that are managed by AWS KMS for default encryption, choose AWS-KMS. Then choose a master key from the list of the AWS KMS master keys that you have created. Type the Amazon Resource Name (ARN) of the AWS KMS key to use. You can find the ARN for your AWS KMS key in the IAM console, under Encryption keys. Or, you can choose a key name from the drop-down list.
Choose Save.

PCI requirement(s): 3.4

Resource Types

This control targets the following resource types:

AWS > S3 > Bucket

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketDefaultEncryptionEnabled

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketDefaultEncryptionEnabled") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketDefaultEncryptionEnabled'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketDefaultEncryptionEnabled"