Home Uncategorized Amazon S3 Server-Side Encryption should be enabled

Amazon S3 Server-Side Encryption should be enabled


When organizations store data or host application in the cloud, they lose the ability to have physical access to the servers hosting its information. As a result, their sensitive data is at risk of the potential internal security threats and malicious attacks. Hence it is important for users to think about various security aspects which are necessary to be implemented to ensure the security of their cloud infrastructure. One such critical aspect is the Amazon S3 server-side encryption of your data stored in the buckets.

What is Amazon S3?

S3 stands for Simple Storage Service. Amazon S3 is a web service interface which can be used to store and retrieve any amount of data at any time and anywhere from the internet. It provides large organizations to simply and securely collect, store, and analyze their data on a massive scale.

Users can upload their data (photos, videos, documents, etc.) when a user creates a bucket for the first time in any of the preferred regions available in AWS. The user can upload any number of objects in any bucket. S3 facilitates users to encrypt data stored in buckets using server-side encryption.

Why server-side encryption is important for maintaining security in your cloud infrastructure?

When server-side encryption is used, S3 encrypts object before saving it to the disk in its data centers and decrypts it when the object is retrieved or downloaded. Server-side encryption with S3 managed key uses multi-factor encryption and encrypts each object with a unique key. To provide an additional layer of security, the unique key encrypts itself with a master key which is regularly rotated.

Amazon S3 Server-side encryption uses one of the strongest block ciphers available to encrypt your data. Using default SSE encryption does not cost any additional charges and works with all existing and new S3 buckets. Encryption information should be included along with every object storage request in order to encrypt S3 data at the object level as SSE only provides encryption at the bucket level.

How Centilytics helps in your Amazon S3 server-side encryption

Centilytics provides a dedicated insight regarding Amazon S3 Server-Side Encryption (SSE). The insight shows the status, whether SSE is enabled for your corresponding S3 buckets or not.

Insight Descriptions:

There can be 2 possible scenarios:

Severity Description
OK This indication will be displayed when SSE (Server-Side Encryption) is enabled on the corresponding S3 bucket.
AWS EBS PUBLIC SNAPSHOTCRITICAL This indication will be displayed when SSE (Server-Side Encryption) is disabled on the corresponding S3 bucket.


Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.AWS S3 Server Side Encryption-ss1
  2. Account Name: This column shows the corresponding account name to the user’s account.AWS S3 Server Side Encryption-ss2
  3. Region: This column shows the region in which the bucket exists.AWS S3 Server Side Encryption-ss5
  4. Bucket Name: This column shows the corresponding bucket name.AWS S3 Server Side Encryption-ss4


Filters applicable:

Filter Name Description
Account Id Applying account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types


Compliances covered:

Compliance Name Reference No. Link
PCI 4.1 https://docs.aws.amazon.com/quickstart/
HIPAA 164.312(a)(2)(iv),164.312(e)(1),164.312(e)(2)(ii) https://aws.amazon.com/quickstart/
ISO 27001 A.18.1.3, A.18.1.5 https://www.iso.org/standard/54534.html


NIST 800-53 SC-8, SC-13, SC-28


GDPR Article 32 https://gdpr-info.eu/


Read more:

[1] https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html

[2] https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html


Cloud Management