AWS S3 Buckets Do Not Have Server Side Encryption

Customers can protect the data in S3 buckets using the AWS server-side encryption. If the server-side encryption is not turned on for S3 buckets with sensitive data, in the event of a data breach, malicious users can gain access to the data. NOTE: Do NOT enable this policy if you are using 'Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C).'.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

AWS S3 buckets do not have server side encryption.
JSON Query:
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption any null or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm any null
Recommended solution that S3 buckets have server side encryption.
It is recommended that S3 buckets have server side encryption. Please make sure that "BucketEncryption" exists and "SSEAlgorithm" in its block exists.
For example:
"EncryptedS3Bucket2": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [{ "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } }] } }, "DeletionPolicy": "Delete" }

Run Rule Recommendation

  1. Login to the AWS Console and navigate to the 'S3' service.
  2. Click on the reported S3 bucket.
  3. Click on the 'Properties' tab.
  4. Under the 'Default encryption' section, choose encryption option either AES-256 or AWS-KMS based on your requirement.
    For more information about Server-side encryption,
    Default encryption:
    Policy based encryption:


There are 11 standards that are applicable to this policy:
  • NIST 800-171 Rev1
  • GDPR
  • NIST 800-53 Rev4
  • MITRE ATT&CK [Beta]
  • ISO 27001:2013
  • SOC 2
  • CSA CCM v3.0.1
  • HITRUST CSF v9.3
  • CCPA 2018

Recommended For You