To have greater control over the encryption and decryption process of your Amazon S3 data-at-rest, make sure to use Server-Side Encryption with customer-provided Customer Master Keys (CMKs) instead of S3-Managed Keys (SSE-S3). This allows you to set your own encryption keys and restrict access to your data. AWS Key Management Service (KMS) provides an easy way to create, rotate, disable, and audit Customer Master Keys (CMKs) for Amazon S3. To enable Server-Side Encryption with customer-provided keys by default, ensure that your Amazon S3 buckets are configured to use this encryption method. This will automatically encrypt any new objects with the specified Customer Master Key (CMK). You can also specify an existing KMS CMK in the rule settings on the Trend Micro Cloud One™ – Conformity dashboard, which is useful if your organization has strict regulatory requirements regarding S3 Server-Side Encryption.
To ensure that data stored in an Amazon S3 bucket is securely encrypted at rest, follow these remediation steps:
By following these steps, you can ensure that all data stored in your S3 bucket is encrypted using the customer-provided CMK, giving you full control over who can access the data.