How to Encrypt S3 Buckets Automatically with Torq

Enforcing S3 Bucket Encryption Automatically with Torq

S3 buckets without encryption can leave sensitive data exposed and at risk. As a best practice and to meet a number of industry and governmental regulations, it’s important to ensure that S3 server side bucket encryption has been properly applied at all times.

To do this, many security teams rely on their Cloud Posture Security Management (CSPM) platform and/or AWS GuardDuty to monitor their AWS resources and provide alerts when an S3 bucket is found unencrypted.

CSPM tools make it easy to detect unencrypted S3 buckets, and AWS makes it as simple as flipping a switch to enable encryption to any S3 bucket so newly uploaded objects will be protected with encryption. But for organizations running in AWS at scale, keeping pace with CSPM alerts and manual updates to S3 buckets can overwhelm security teams. Keeping data protected requires automating this process so that alerts are quickly routed to the right owners, and encryption is applied as easily as possible. 

How Torq automates AWS S3 bucket encryption

With Torq’s no-code automation, this process can be automated — ensuring your S3 data at rest is protected at all times.   

This workflow template runs whenever an unencrypted S3 bucket is detected, performs one-click remediation, or opens a ticket for further follow-up if encryption cannot be enabled automatically.  

Here’s how it works:

  1. Receive an unencrypted S3 bucket alert from your CSPM
  2. Using our built in AWS CLI , automatically look up the bucket information and retrieve tags, including bucket owner
  3. Ask the bucket owner via Slack whether to enable default AES-256 encryption on the bucket
  4. If the owner approves, enable encryption and update the alert or issue in the CSPM
  5. If the owner declines or does not answer – open a Jira ticket for further follow-up

These steps ensure that there’s a human-in-the-loop process for applying encryption to S3 buckets, and that all alerts are routed in a timely fashion. This frees security teams from manually tracking down owners, or applying encryption on a one-off basis; and ensures that data in S3 is protected at all times. 

Get the workflow template

Already a Torq customer? You can find this workflow (Encrypt S3 Bucket in Response to Alert) and dozens more in Torq’s Workflow Library. Just add it to your Torq account, provide your CSPM and AWS credentials, create a CSPM policy to generate a webhook for Torq when an unencrypted bucket is found and enjoy better protection of your S3 data.  

You may also want to check out some of our other S3 related workflows, such as Enforcing HTTPS on S3 buckets or Requiring Versioning for S3 Buckets.  

Get Started Today

Not using Torq yet? Get in touch for a trial account and see how Torq’s no-code automation accelerates security operations to deliver unparalleled protection. 

Read Previous Post
Read Next Post