SEC08-BP02: Enforce encryption at rest

Overview

Enforcing encryption at rest ensures that all stored data is protected from unauthorized access, even if physical storage media is compromised. This best practice focuses on implementing comprehensive encryption policies across all data storage services, using appropriate encryption methods, and ensuring consistent enforcement through automated controls.

Encryption at rest should be applied to all data stores including databases, file systems, object storage, backups, and logs. The implementation should be transparent to applications while providing strong cryptographic protection for sensitive data.

Implementation Guidance

1. Implement Service-Level Encryption

Enable encryption at rest for all AWS storage services:

• Amazon S3: Server-side encryption with KMS, S3-managed keys, or customer-provided keys
• Amazon RDS: Database encryption with KMS keys for all database engines
• Amazon EBS: Volume encryption for all EC2 instance storage
• Amazon DynamoDB: Table encryption with KMS keys
• Amazon Redshift: Cluster encryption for data warehouse workloads
• Amazon EFS: File system encryption for shared storage

2. Use Strong Encryption Standards

Implement industry-standard encryption algorithms:

• AES-256: Advanced Encryption Standard with 256-bit keys
• KMS Integration: Use AWS KMS for key management and encryption
• Hardware Security Modules: Leverage HSM-backed encryption where required
• Encryption in Transit: Combine with encryption in transit for comprehensive protection

3. Automate Encryption Enforcement

Deploy automated controls to ensure encryption compliance:

• Service Control Policies: Prevent creation of unencrypted resources
• AWS Config Rules: Monitor and report on encryption compliance
• CloudFormation Guards: Validate encryption in infrastructure templates
• Lambda Functions: Automated remediation for non-compliant resources

4. Implement Granular Encryption Policies

Apply appropriate encryption based on data sensitivity:

• Data Classification: Use different encryption keys based on data classification
• Field-Level Encryption: Encrypt specific sensitive fields in databases
• Client-Side Encryption: Implement application-level encryption for highly sensitive data
• Envelope Encryption: Use data keys encrypted with master keys for performance

5. Monitor Encryption Compliance

Establish comprehensive monitoring for encryption status:

• Compliance Dashboards: Real-time visibility into encryption status
• Automated Alerts: Notifications for encryption policy violations
• Audit Reports: Regular compliance reporting for security reviews
• Remediation Workflows: Automated fixing of encryption gaps

6. Plan for Key Rotation and Recovery

Ensure encryption keys are properly managed:

• Automatic Key Rotation: Enable regular rotation of encryption keys
• Backup Encryption: Encrypt all backup data with appropriate keys
• Disaster Recovery: Ensure encrypted data can be recovered across regions
• Key Archival: Maintain access to historical encryption keys

Implementation Examples

Example 1: Comprehensive Encryption Enforcement System

Code snippet hidden for website display

Example 2: Service Control Policies for Encryption Enforcement

Code snippet hidden for website display

Example 3: AWS Config Rules for Encryption Monitoring

Code snippet hidden for website display

Example 4: CloudFormation Template for Encryption-by-Default

Code snippet hidden for website display

Relevant AWS Services

Core Encryption Services

• Amazon S3: Server-side encryption with KMS, S3-managed keys, or customer-provided keys
• Amazon RDS: Database encryption for all supported database engines
• Amazon EBS: Volume encryption for EC2 instances
• Amazon DynamoDB: Table encryption with KMS keys
• Amazon EFS: File system encryption for shared storage
• Amazon Redshift: Data warehouse encryption

Key Management Integration

• AWS Key Management Service (KMS): Centralized key management for encryption
• AWS CloudHSM: Hardware security modules for high-security requirements
• AWS Certificate Manager: SSL/TLS certificate management

Compliance and Monitoring

• AWS Config: Configuration compliance monitoring and rules
• AWS CloudTrail: Audit logging for encryption-related activities
• Amazon CloudWatch: Monitoring and alerting for encryption compliance
• AWS Security Hub: Centralized security findings management

Automation and Enforcement

• AWS Organizations: Service Control Policies for encryption enforcement
• AWS Lambda: Automated remediation functions
• Amazon EventBridge: Event-driven encryption compliance workflows
• AWS Systems Manager: Automated configuration management

Benefits of Enforcing Encryption at Rest

Security Benefits

• Data Protection: Comprehensive protection against unauthorized access
• Compliance Assurance: Meet regulatory requirements for data protection
• Defense in Depth: Additional security layer beyond access controls
• Key Management: Centralized control over encryption keys

Operational Benefits

• Automated Enforcement: Prevent creation of unencrypted resources
• Consistent Implementation: Uniform encryption across all services
• Transparent Operation: No impact on application functionality
• Scalable Management: Centralized encryption policy management

Compliance Benefits

• Regulatory Adherence: Meet GDPR, HIPAA, PCI DSS requirements
• Audit Readiness: Complete audit trails for encryption activities
• Risk Mitigation: Reduce risk of data breaches and compliance violations
• Documentation: Comprehensive encryption compliance reporting

Related Resources

• AWS Well-Architected Framework - Data at Rest Protection
• AWS Encryption at Rest
• Amazon S3 Encryption
• Amazon RDS Encryption
• AWS Config Rules for Encryption
• AWS Security Blog - Encryption