Enforce encryption at rest

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Ensuring the security of data at rest is crucial for maintaining the confidentiality and integrity of sensitive information. Implementing encryption serves as a primary defensive mechanism against unauthorized access or accidental data exposure.

Best Practices

Implement Robust Encryption Standards

Utilize strong encryption algorithms such as AES-256 to protect data at rest. This ensures a high level of security against unauthorized access and helps comply with regulatory requirements.
Ensure that encryption keys are managed securely using AWS Key Management Service (KMS) or AWS CloudHSM to control access to encryption keys and perform auditing, providing an additional layer of security.
Regularly review and rotate encryption keys to minimize the risk of key compromise. Implement a strategy for key rotation that aligns with your organization’s security policies.
Define and enforce policies for data classification to ensure that sensitive data is identified and subject to encryption requirements. This helps prioritize resources and efforts to protect the most critical data.

Use Comprehensive Data Protection Measures

Incorporate access controls such as IAM policies and resource-based policies to restrict access to encrypted data to only authorized personnel and services.
Implement logging and monitoring through AWS CloudTrail and Amazon CloudWatch to detect access patterns that may indicate unauthorized attempts to access data, ensuring swift response to potential threats.
Evaluate using services like Amazon S3 Object Lock for immutable storage which prevents accidental or malicious data deletion, and ensure data integrity alongside confidentiality.

Establish Strong Compliance and Auditing Practices

Ensure that your encryption practices are documented and regularly audited to comply with applicable regulations and organizational policies.
Conduct regular assessments and penetration tests to identify potential vulnerabilities related to your data encryption practices and address any gaps in security promptly.
Create a clear incident response plan outlining how to respond to breaches of encrypted data, including a process for notifying affected parties when necessary.

Questions to ask your team

Is encryption at rest enforced for all sensitive data across your AWS services?
What encryption standards or protocols are you using for encrypting data at rest?
How do you manage and rotate encryption keys to ensure data security?
Are there regular audits conducted to verify compliance with encryption policies?
What mechanisms do you have in place to ensure that encryption is correctly configured for new data stores?

Who should be doing this?

Security Engineer

Design and implement encryption solutions for data at rest.
Monitor the compliance of encryption policies across all data storage services.
Evaluate and select encryption technologies that meet regulatory requirements.

Data Owner

Identify sensitive data that needs protection through encryption.
Ensure that data classification policies are followed for encryption purposes.
Work with IT to establish and communicate data handling standards.

Compliance Officer

Ensure that encryption standards align with legal and regulatory requirements.
Conduct regular audits to verify implementation of encryption controls.
Raise awareness about the importance of protecting data at rest.

IT Architect

Design architecture that incorporates encryption for data at rest.
Ensure that encryption solutions do not negatively impact system performance.
Provide guidelines for encryption implementation across various data storage systems.

Cloud Administrator

Configure and manage cloud services to enforce encryption at rest.
Regularly update and patch encryption technologies used in the infrastructure.
Monitor access and use of encrypted data to detect unauthorized access.

What evidence shows this is happening in your organization?

Data Encryption Policy: A formal policy document outlining the organization’s requirements for encrypting data at rest, including mandatory encryption algorithms, key management practices, and compliance requirements.
Data Encryption Checklist: A comprehensive checklist to ensure all data at rest is encrypted. It includes verification of encryption methods, review of audit logs, and compliance checks with encryption policies.
Encryption Implementation Guide: A guide that outlines the steps for implementing encryption technologies across various data storage solutions, including cloud services, databases, and on-premises storage.
Encryption Dashboard: An interactive dashboard that visualizes encryption status for all data stores within the organization, allowing real-time monitoring of compliance with encryption policies.
Encryption Strategy Document: A strategic plan that details how the organization will implement and maintain encryption for data at rest, including risk assessments, resource allocations, and timelines for deployment.

Cloud Services

AWS

Amazon S3: Amazon S3 allows you to store and retrieve data securely, enabling server-side encryption (SSE) to protect data at rest automatically.
Amazon RDS: Amazon RDS provides encryption at rest using AWS Key Management Service (KMS) to secure your database storage.
AWS Key Management Service (KMS): AWS KMS allows you to create and control the encryption keys used to encrypt your data across AWS services.

Azure

Azure Blob Storage: Azure Blob Storage provides built-in encryption at rest for your data to ensure its confidentiality.
Azure SQL Database: Azure SQL Database offers Transparent Data Encryption (TDE) to encrypt data at rest in SQL databases.
Azure Key Vault: Azure Key Vault safeguards your cryptographic keys and secrets, which can be used for encrypting data at rest.

Google Cloud Platform

Google Cloud Storage: Google Cloud Storage automatically encrypts data at rest, ensuring the security and privacy of your data.
Google Cloud SQL: Google Cloud SQL provides automatic encryption at rest for your database instances, ensuring compliance and security.
Google Cloud Key Management: Google Cloud Key Management allows you to manage cryptographic keys for your cloud services, enhancing data security.

Question: How do you protect your data at rest?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals