What is CIS AWS 2.1.2?

CIS AWS 2.1.2 (S3 Server-Side Encryption enforced) requires: S3 buckets configured with server-side encryption by default. This is a high-severity control.

How does EchelonGraph detect CIS AWS 2.1.2 violations?

EchelonGraph automatically detects CIS AWS 2.1.2 violations using scanner rule CIS-AWS-2-1-2. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

How do I remediate CIS AWS 2.1.2?

aws s3api put-bucket-encryption --bucket \u003cname\u003e --server-side-encryption-configuration with SSE-S3 or SSE-KMS.

What audit questions are asked for CIS AWS 2.1.2?

Default encryption on all buckets? SSE-S3 or SSE-KMS? Bucket policy enforces upload encryption?

🟠CIS AWS 2.1.2Rule: CIS-AWS-2-1-2high

S3 Server-Side Encryption enforced

Description

S3 buckets configured with server-side encryption by default.

⚠️ Risk Impact

Unencrypted S3 buckets expose data when access controls fail. Default encryption is free + invisible to applications.

🔍 How EchelonGraph Detects This

CIS-AWS-2-1-2Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

aws s3api put-bucket-encryption --bucket <name> --server-side-encryption-configuration with SSE-S3 or SSE-KMS.

💀 Real-World Attack Scenario

An S3 bucket was misconfigured public. The bucket contained 2M unencrypted customer files. Encryption-at-rest would have rendered the data useless to the discoverer (SSE-S3 keys not exposed publicly). $1.4M-$8M notification cost depending on jurisdiction.

💰 Cost of Non-Compliance

Unencrypted-S3 incidents: avg $4.45M.

📋 Audit Questions

1.Default encryption on all buckets?
2.SSE-S3 or SSE-KMS?
3.Bucket policy enforces upload encryption?

🎯 MITRE ATT&CK Mapping

T1530 — Data from Cloud Storage

🏗️ Infrastructure as Code Fix

main.tf

resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
  bucket = aws_s3_bucket.main.id
  rule {
    apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" }
    bucket_key_enabled = true
  }
}

⚡ Common Pitfalls

⛔Default encryption skipped for 'temporary' buckets
⛔SSE-S3 used where SSE-KMS would provide customer-managed keys
⛔No bucket policy enforcing upload-time encryption

📈 Business Value

Default encryption is free protection against access-control failures.

⏱️ Effort Estimate

Manual

10 minutes per bucket

With EchelonGraph

EchelonGraph audits + remediates encryption status

🔗 Cross-Framework References

SOC2-CC6.1NIST-SC-28

Automate CIS AWS 2.1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →