SEC 8: How do you protect your data at rest?
Protect your data at rest by implementing multiple controls, to reduce the risk of unauthorized access or mishandling.
How Encryption Works in AWS
Securing Your Block Storage on AWS
AWS Key Management Service
Protecting Amazon S3 Data Using Encryption
Amazon EBS Encryption
Encrypting Amazon RDS Resources
AWS KMS Cryptographic Details Whitepaper
AWS Encryption SDK
AWS Crypto Tools
AWS cryptographic services and tools
Implement secure key management: Encryption keys must be stored securely, with strict access control, for example, by using a key management service such as AWS KMS. Consider using different keys, and access control to the keys, combined with the AWS IAM and resource policies, to align with data classification levels and segregation requirements.
Enforce encryption at rest: Enforce your encryption requirements based on the latest standards and recommendations to help protect your data at rest.
Automate data at rest protection: Use automated tools to validate and enforce data at rest protection continuously, for example, verify that there are only encrypted storage resources.
Enforce access control: Enforce access control with least privileges and mechanisms, including backups, isolation, and versioning, to help protect your data at rest. Prevent operators from granting public access to your data.
Use mechanisms to keep people away from data: Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, provide a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.
Implement secure key management
Getting started: AWS Key Management Service (AWS KMS)
AWS Encryption SDK
Enforce encryption at rest
How do I enable default encryption for an S3 bucket?
AWS Secrets Manager
Default encryption for EBS volumes
AMIs with encrypted Snapshots
Encrypting Amazon RDS resources
Automate data at rest protection
Enforce access control
Introduction to Managing Access Permissions to Your Amazon S3 Resources
Overview of managing access to your AWS KMS resources
AWS Config Rules
Amazon S3 + Amazon CloudFront: A Match Made in the Cloud
Locking Objects Using Amazon S3 Object Lock
Amazon S3 Inventory
Sharing an Amazon EBS Snapshot
Use mechanisms to keep people away from data
AWS Systems Manager
CI/CD Pipeline for AWS CloudFormation templates on AWS