Are my AWS Resources Encrypted or Unencrypted by Default?

Secure By Default: Are my AWS Resources Encrypted or Unencrypted by Default?

This is the accompanying blog post to our GitHub release: Encrypted by Default in AWS Tracker: If you have feedback or questions, direct them to info@fogsecurity.io, we'd love to hear from you.

A security trend that's picked up more traction in cloud recently is the concept of "secure by default". This is covered by such features such as Block Public Access by default (Remember S3 Buckets and the change AWS made in 2018) to the introduction of encrypted objects in S3 by default in 2023. Encryption can be crucial part of a data protection strategy and is often required by compliance frameworks. In cloud, encryption is offered by cloud providers and in AWS can be done by services such as KMS (Key Management Service) and CloudHSM.

That brings us to the question about encryption and security by default in cloud: Are my AWS resources encrypted or unencrypted by default?

We researched 43 AWS services that support encryption and tested 51 different types of resources including compute, database, storage, AI and machine learning, management and governance. These include EC2, Sagemaker, DynamoDB, S3, Secrets Manager, CloudWatch, RDS, and more.

‍Quick Statistics of Encryption by Default (as of July 2024)

Encrypted by Default: 39 (76.47%)
Unencrypted by Default: 12 (23.53%)
Encrypted by Default with AWS Owned Key: 22
Encrypted by Default with AWS Managed Key: 17
AWS Services Covered: 43
Total Resources: 51

Not only did we find varying states of encryption by default, we also found different encryption mechanisms including encrypted by default with AWS Owned Keys and encrypted by default with AWS Managed KMS Keys. For more information about AWS Managed KMS Keys, see our latest research here.

In this post, we'll cover:

Impact of the encryption by default on AWS Resources.
Details about KMS Options including AWS Owned Keys, AWS Managed Keys, and Customer Managed Keys.
Statistics on Encryption by Default and coverage by AWS Resources and Services.
Best Practices for Encryption in AWS and useful tips for ensuring encryption by default.
Wishlist for AWS including more encrypted by default settings.

Impact

Encryption Keys from AWS act as an additional layer of access control. For AWS Managed and Customer Managed Keys in KMS, access is controlled via the AWS Key Policy (Resource-Based Policy) and Key Grants.
Depending on the type of key used and the key policy if applicable, your data may not be as secure as you think in relation to access control and encryption key access.
AWS Managed Key Policies are controlled by AWS and typically implicitly grant access to IAM Principals within the same AWS Account. For more information, see our research on AWS Managed Key Policies at https://www.fogsecurity.io/blog/encryption-aws-managed-kms-keys.
The default key policy for Customer Managed Keys also typically implicitly grants access (In AWS's language, "enables IAM policies") to IAM Principals within the same AWS Account.
AWS Owned Keys are shared between AWS accounts and typically do not offer more access control security. From AWS: "unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice."

GitHub Repository: https://github.com/FogSecurity/aws-default-encryption-tracker

In this repository, we have a full listing of the 51 different types of resources and their encryption by default setting.
Feel free to contribute via GitHub or submit any feedback to info@fogsecurity.io

GitHub Link: Encrypted by Default in AWS

Encryption in AWS

Symmetric encryption in AWS Options include:

Unencrypted Resources
KMS Encryption with AWS Owned Keys
KMS Encryption with AWS Managed Keys
KMS Encryption with Customer Managed Keys
KMS Encryption with Customer Managed Keys (with External Key material)
Encryption via CloudHSM

Table from AWS KMS Documentation for types of KMS Keys

‍

Encryption Recommendations

Encrypt everything by default. This will at least help with compliance requirements. At the very least, can use an AWS Owned Key.
We recommend using AWS Managed or Customer Managed Keys where possible.
Monitor Key Policies. IAM Policies by themselves cannot grant access to a KMS Key. Access must be explicitly allowed, and never denied, in a key policy, IAM policy, or grant. This evaluation is different than most other resource-based policies.
Check with your company for encryption guidelines and guardrails.

Ensure Encryption by Default

Turn on AWS account settings to enforce encryption by default such as EBS Encryption by Default and X-Ray Trace Encryption by Default.
Use preventative tooling such as code linting to ensure resources created are encrypted on creation. Tools include cfn-guard.

Wishlist for AWS

Our wishlist for AWS includes the following changes to improve security and compliance by default:

Add encryption by default to all AWS resources (similar to the S3 change).
Remove unencrypted options for AWS resources.
At minimum, offer encryption with AWS Owned Keys.
Additional controls such as account settings (similar to EBS and X-Ray) and IAM conditions to help with enforcing options for encryption by default.

Research Methodology

To validate AWS resources and encryption, the following methods and process were used:

Many resources were created with the AWS CLI.
Default encryption and encryption type were validated with AWS CLI Describe and Get calls.
Additional validation of default encryption was performed via the AWS console.
CLI documentation and AWS documentation were referenced to validate default encryption and encryption type as well.

Note: Encryption results may be misleading. See our Quantum Ledger Database (QLDB) research here for an example of misleading reporting on encryption status.