SEC08-BP02 Enforce encryption at rest - AWS Well-Architected Framework (2022-03-31)

SEC08-BP02 Enforce encryption at rest

You should ensure that the only way to store data is by using encryption. AWS Key Management Service (AWS KMS) integrates seamlessly with many AWS services to make it easier for you to encrypt all your data at rest. For example, in Amazon Simple Storage Service (Amazon S3), you can set default encryption on a bucket so that all new objects are automatically encrypted. Additionally, Amazon Elastic Compute Cloud (Amazon EC2) and Amazon S3 support the enforcement of encryption by setting default encryption. You can use AWS Config Rules to check automatically that you are using encryption, for example, for Amazon Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service (Amazon RDS) instances, and Amazon S3 buckets.

Level of risk exposed if this best practice is not established: High

Implementation guidance

  • Enforce encryption at rest for Amazon Simple Storage Service (Amazon S3): Implement Amazon S3 bucket default encryption.

  • Use AWS Secrets Manager: Secrets Manager is an AWS service that makes it easy for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.

  • Configure default encryption for new EBS volumes: Specify that you want all newly created EBS volumes to be created in encrypted form, with the option of using the default key provided by AWS, or a key that you create.

  • Configure encrypted Amazon Machine Images (AMIs): Copying an existing AMI with encryption enabled will automatically encrypt root volumes and snapshots.

  • Configure Amazon Relational Database Service (Amazon RDS) encryption: Configure encryption for your Amazon RDS database clusters and snapshots at rest by enabling the encryption option.

  • Configure encryption in additional AWS services: For the AWS services you use, determine the encryption capabilities.


Related documents:

Related videos: