Encryption at Rest

Why it matters

Unencrypted data at rest is immediately accessible if storage is compromised via stolen drives, misconfigured permissions, or physical theft, exposing PII, financial records, and trade secrets. Encryption renders stolen data unusable without the encryption key, meeting CC6.1 and CC6.7 requirements and reducing breach impact severity and notification scope.

Evidence to collect

• AWS KMS key policy and alias list showing CMK creation date and key rotation status; GCP Key Management Service configuration showing encryption key creation and rotation settings
• RDS/Cloud SQL encryption configuration screenshots showing AES-256 enabled, backup encryption enabled, and automated key rotation settings
• S3/GCS bucket encryption policy (bucket properties or gcloud command output) confirming default encryption and denying unencrypted uploads via bucket policy
• EBS/persistent disk encryption audit report from Security Command Center or Config showing encrypted vs. unencrypted volume inventory and launch template defaults

Testing procedure

Request the monthly cloud config audit report filtering for encryption status across all RDS, S3, EBS, and backup resources. Manually verify 3–5 critical databases and storage buckets by checking their encryption settings in the console; confirm key rotation is enabled and occurred within the last 90 days. Attempt to attach an unencrypted EBS volume to a live instance to confirm launch template policies block it.

Common gotchas