AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Fix: Unencrypted S3, EBS and RDS (Encryption at Rest)

2026-06-25 2 min read

Unencrypted storage findings arrive in bulk — dozens of buckets, volumes, and databases at once — and they're among the easiest to clear permanently, because AWS now lets you set encryption on by default per account. That's why a still-red encryption finding at audit time reads as carelessness: the fix is a one-time setting, not a per-resource slog.

The findings: Security Hub [S3.4] (S3 default encryption), [EC2.7] (EBS encryption by default), [RDS.3] (RDS encryption).

Practitioner guidance, not legal or audit advice.

S3 — encrypted by default already, verify it

New buckets are encrypted by default with SSE-S3. To enforce a customer-managed KMS key for stronger control:

aws s3api put-bucket-encryption --bucket <bucket> \
  --server-side-encryption-configuration '{
    "Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<kms-arn>"}}]}'

EBS — turn on encryption by default (the big one)

This single account+region setting means every new volume is encrypted, clearing the finding going forward:

aws ec2 enable-ebs-encryption-by-default --region <region>
aws ec2 modify-ebs-default-kms-key-id --kms-key-id <kms-arn> --region <region>

Do it in every region. Existing unencrypted volumes have to be re-created from an encrypted snapshot — script it for the stragglers, but the default-on setting stops the bleeding immediately.

RDS — encrypt at creation

RDS encryption can't be toggled on an existing instance; you encrypt by restoring from an encrypted snapshot:

  1. Snapshot the unencrypted instance.
  2. Copy the snapshot with a KMS key (--kms-key-id).
  3. Restore from the encrypted copy, then cut over.

For new instances, make encryption mandatory via an SCP or Config remediation so it's never skipped.

Keep it fixed

Config rules s3-bucket-server-side-encryption-enabled, encrypted-volumes, and rds-storage-encrypted flag regressions. Watch the KMS side too: kms-cmk-not-scheduled-for-deletion prevents a key deletion silently breaking access.

Why it matters — and what it doesn't fix

Encryption at rest is CPS 234 Para 21 data protection, and it limits blast radius when something else fails. But don't mistake it for complete data protection — as covered in controls that are theatre, encryption is the easy win, while the access controls that actually prevent the breach are the harder, higher-value work. Do encryption because it's easy, then spend the real effort on least privilege and attack surface.

Primary sources: EBS encryption by default · Security Hub FSBP standard

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts