AuditRubric
da-2 High priority Data Security / Data Security

Sensitive data at rest is encrypted using current standards

Encryption at rest protects data when storage media is stolen, improperly disposed of, or accessed by an attacker who has compromised infrastructure but not yet obtained encryption keys. The standard is AES-256 for symmetric encryption. Many cloud providers encrypt storage by default, but default encryption often uses provider-managed keys, which means the cloud provider can theoretically access your data. For truly sensitive data, customer-managed keys provide meaningful additional separation. The critical point is that encryption must actually be applied to the sensitive data stores identified in your data inventory.

4h estimated effort
encryption data-at-rest aes-256 kms cloud-storage
Complete first: da-1

Implementation steps

  1. 1

    Enable encryption at rest for all databases holding sensitive data

    Enable storage encryption for every database that contains classified-confidential or restricted data. For AWS RDS, enable encryption at creation time using KMS. For Aurora, DynamoDB, and Redshift, encryption can be enabled without downtime. For Azure SQL and Cosmos DB, Transparent Data Encryption is enabled by default but verify it has not been disabled. For GCP Cloud SQL and Spanner, storage encryption is on by default.

    aws-kms aws-rds azure-sql gcp-cloud-sql hashicorp-vault
  2. 2

    Encrypt object storage buckets containing sensitive data

    Verify that all S3 buckets, Azure Blob containers, or GCS buckets holding sensitive data have encryption enabled. Apply bucket policies that deny uploads that do not use server-side encryption. For highly sensitive data, use customer-managed keys (CMK) via KMS rather than AWS-managed keys so you retain control over key rotation and deletion.

    aws-s3 aws-kms azure-storage gcp-cloud-storage checkov
  3. 3

    Verify encryption coverage using IaC scanning and cloud configuration tools

    Run IaC scanning tools against your Terraform or CloudFormation to catch resources deployed without encryption. Run cloud security posture management tools to detect unencrypted storage that was provisioned outside of IaC. Set up automated alerts for any new storage resource created without encryption enabled.

    checkov tfsec aws-config wiz orca-security prisma-cloud

Evidence required

Database and storage encryption configuration

Evidence that sensitive data stores have encryption at rest enabled.

  • - AWS RDS instance settings showing encryption enabled with KMS key ARN
  • - S3 bucket default encryption configuration screenshot
  • - Azure SQL Transparent Data Encryption status showing enabled
  • - AWS Config rule results confirming encrypted-volumes compliance

Related controls

da-1

Sensitive data is inventoried and classified by type

Data Security

da-3

Data in transit is encrypted using modern protocols

Data Security

da-4

Sensitive data is securely disposed of when no longer needed

Data Security

da-5

Backups of critical data are maintained and tested

Data Security