Cyber Resilience

Controls

What cloud configurations do I need to worry about to implement encryption at rest?

This page maps high-level controls (NIST 800-53 r5; more frameworks to come) to the specific cloud-platform configurations that satisfy them. Future expansion: live findings from CSPM tools, CVE coverage reverse-lookup, and threat-technique mitigation paths.

Search controls

Catalogue summary

1
Frameworks
163
Implementations
24
Cloud platforms (encryption at rest)
FrameworkRowsComposition
NIST_800-53_r51,216family (20), control (324), enhancement (872)

Risk-prioritised gaps — top 25 CVEs

The 25 highest-Risk-Priority CVEs we have annotated, paired with their single strongest mitigating NIST 800-53 r5 control. Rows marked gap are CVEs whose top mitigation has no implementation in our catalogue — these are where automated verification is missing today. Currently 13 of 25 top-risk CVEs are gaps.

CVE Risk CVSS EPSS Top mitigating control Match Impl status
CVE-2002-0367 KEV10.07.80.0519AC-3 Access Enforcementgood✅ has impl
CVE-2004-0210 KEV10.07.80.0761SI-16 Memory Protectiongoodgap
CVE-2004-1464 KEV10.05.90.0513SI-2 Flaw Remediationgood✅ has impl
CVE-2005-2773 KEV10.09.80.7409SI-10 Information Input Validationgoodgap
CVE-2006-1547 KEV10.07.50.5464SI-10 Information Input Validationgoodgap
CVE-2006-2492 KEV10.08.80.4839SI-10 Information Input Validationgoodgap
CVE-2007-0671 KEV10.08.80.4214SI-3 Malicious Code Protectiongoodgap
CVE-2007-3010 KEV10.09.80.9741SI-10 Information Input Validationgoodgap
CVE-2007-5659 KEV10.07.80.9422SI-2 Flaw Remediationgood✅ has impl
CVE-2008-0015 KEV10.08.80.7665SI-2 Flaw Remediationgood✅ has impl
CVE-2008-0655 KEV10.08.80.3684SI-2 Flaw Remediationgood✅ has impl
CVE-2008-2992 KEV10.07.80.9848SI-10 Information Input Validationgoodgap
CVE-2008-4250 KEV10.09.80.9875SI-2 Flaw Remediationgood✅ has impl
CVE-2009-0238 KEV10.08.80.4306SI-3 Malicious Code Protectiongoodgap
CVE-2009-0556 KEV10.08.80.6754SI-3 Malicious Code Protectiongoodgap
CVE-2009-0557 KEV10.07.80.5855SI-2 Flaw Remediationgood✅ has impl
CVE-2009-0563 KEV10.07.80.6308SI-2 Flaw Remediationgood✅ has impl
CVE-2009-0927 KEV10.08.80.9660SI-10 Information Input Validationgoodgap
CVE-2009-1123 KEV10.07.80.0492AC-3 Access Enforcementgood✅ has impl
CVE-2009-1151 KEV10.09.80.9544SI-10 Information Input Validationgoodgap
CVE-2009-1537 KEV10.08.80.5093SI-2 Flaw Remediationgood✅ has impl
CVE-2009-1862 KEV10.07.80.2501SI-2 Flaw Remediationgood✅ has impl
CVE-2009-2055 KEV10.05.90.0333SI-10 Information Input Validationgoodgap
CVE-2009-3129 KEV10.07.80.8573SI-10 Information Input Validationgoodgap
CVE-2009-3459 KEV10.08.80.8647SI-2 Flaw Remediationgood✅ has impl

KEV coverage — controls that block actively-exploited threatsAI

For each of CISA's 1,631 Known Exploited Vulnerabilities, we pick the single strongest mitigating NIST 800-53 r5 control (per-CVE LLM annotation when available, falling back to the CWE→control mapping). The table below shows the top 20 controls ranked by how many KEV CVEs they would mitigate. 1,621 of 1,631 KEV CVEs (99%) are attributed to a control.

Control Title Family # KEV blocked % of KEV Sample KEV CVEs
SI-2Flaw RemediationSI57935.5%CVE-2004-1464 CVE-2007-5659 CVE-2008-0015
SI-10Information Input ValidationSI46828.7%CVE-2005-2773 CVE-2006-1547 CVE-2006-2492
AC-3Access EnforcementAC29618.1%CVE-2002-0367 CVE-2009-1123 CVE-2012-3152
SI-16Memory ProtectionSI815.0%CVE-2004-0210 CVE-2010-0249 CVE-2010-0806
AC-6Least PrivilegeAC322.0%CVE-2013-5065 CVE-2016-0167 CVE-2016-3643
CM-7Least FunctionalityCM191.2%CVE-2010-0738 CVE-2010-1428 CVE-2016-3718
SC-5Denial-of-service ProtectionSC130.8%CVE-2017-12234 CVE-2017-12237 CVE-2017-12238
SI-3Malicious Code ProtectionSI120.7%CVE-2007-0671 CVE-2009-0238 CVE-2009-0556
IA-5Authenticator ManagementIA120.7%CVE-2013-0632 CVE-2014-1812 CVE-2020-8657
SC-7Boundary ProtectionSC120.7%CVE-2016-8735 CVE-2017-12235 CVE-2017-6740
SI-7Software, Firmware, and Information IntegritySI80.5%CVE-2012-0151 CVE-2020-1464 CVE-2021-44168
SC-18Mobile CodeSC80.5%CVE-2012-0158 CVE-2012-0507 CVE-2012-0767
SA-22Unsupported System ComponentsSA80.5%CVE-2020-9377 CVE-2021-45382 CVE-2024-0769
AC-4Information Flow EnforcementAC70.4%CVE-2019-16256 CVE-2019-9621 CVE-2021-21311
CM-14Signed ComponentsCM60.4%CVE-2016-3235 CVE-2021-25395 CVE-2022-40139
SC-12Cryptographic Key Establishment and ManagementSC60.4%CVE-2016-4437 CVE-2017-9248 CVE-2019-18988
CM-6Configuration SettingsCM50.3%CVE-2013-3900 CVE-2022-0028 CVE-2024-56145
SI-11Error HandlingSI50.3%CVE-2013-7331 CVE-2021-1906 CVE-2023-28771
SC-13Cryptographic ProtectionSC40.2%CVE-2017-1000486 CVE-2017-11317 CVE-2018-15811
SC-39Process IsolationSC30.2%CVE-2019-0211 CVE-2020-16017 CVE-2025-22225

Coverage gaps — NIST 800-53 r5 by family

For each NIST 800-53 family: how many top-level controls exist, how many have at least one cloud-config implementation in our catalogue, and how many distinct implementations target that family. Bigger numbers and longer green bars are better. Currently 33 of 324 controls (10%) have implementations across 210 impl-spec mentions; the rest are gaps in the impl catalogue, not the controls themselves.

Family Controls With impl Total impls Coverage
ACAccess Control2563724%
ATAwareness and Training6000%
AUAudit and Accountability1652131%
CAAssessment, Authorization, and Monitoring912211%
CMConfiguration Management1441329%
CPContingency Planning1331623%
IAIdentification and Authentication13128%
IRIncident Response10000%
MAMaintenance7000%
MPMedia Protection8000%
PEPhysical and Environmental Protection23000%
PLPlanning11000%
PMProgram Management32000%
PSPersonnel Security9000%
PTPersonally Identifiable Information Processing and Transparency8000%
RARisk Assessment10000%
SASystem and Services Acquisition24124%
SCSystem and Communications Protection5187616%
SISystem and Information Integrity2342117%
SRSupply Chain Risk Management12000%

Encryption at rest — required cloud configurations

The implementations below all satisfy NIST 800-53 r5 SC-28 (Protection of Information at Rest). Pick the platforms relevant to your stack; each row is a specific check you need to keep green.

PlatformConfigurationImplementation ID
AWS::ApiGateway::StageApi Gw Cache Enabled And Encryptedaws-config-api-gw-cache-enabled-and-encrypted
AWS::CloudTrail::TrailCloud Trail Encryption Enabledaws-config-cloud-trail-encryption-enabled
AWS::CodeBuild::ProjectCodebuild Project Artifact Encryptionaws-config-codebuild-project-artifact-encryption
AWS::DynamoDB::TableDynamodb Table Encrypted Kmsaws-config-dynamodb-table-encrypted-kms
AWS::DynamoDB::TableDynamoDB table uses encryption at rest with KMSaws-config-dynamodb-table-encryption-enabled
AWS::EC2::VolumeEBS encryption by default is enabledaws-config-ec2-ebs-encryption-by-default
AWS::EC2::VolumeEBS volumes are encrypted at restaws-config-encrypted-volumes
AWS::EFS::FileSystemEFS file system is encryptedaws-config-efs-encrypted-check
AWS::EKS::ClusterEKS cluster encrypts Kubernetes secrets at rest with KMSaws-config-eks-cluster-secrets-encrypted
AWS::Kinesis::StreamKinesis Stream Encryptedaws-config-kinesis-stream-encrypted
AWS::OpenSearchService::DomainElasticsearch Encrypted At Restaws-config-elasticsearch-encrypted-at-rest
AWS::OpenSearchService::DomainOpensearch Encrypted At Restaws-config-opensearch-encrypted-at-rest
AWS::RDS::DBInstanceRds Snapshot Encryptedaws-config-rds-snapshot-encrypted
AWS::RDS::DBInstanceRDS storage is encryptedaws-config-rds-storage-encrypted
AWS::Redshift::ClusterRedshift Cluster Configuration Checkaws-config-redshift-cluster-configuration-check
AWS::Redshift::ClusterRedshift Cluster Kms Enabledaws-config-redshift-cluster-kms-enabled
AWS::S3::BucketS3 bucket has default server-side encryptionaws-config-s3-bucket-server-side-encryption-enabled
AWS::S3::BucketS3 Default Encryption Kmsaws-config-s3-default-encryption-kms
AWS::SNS::TopicSNS topic uses KMS encryption at restaws-config-sns-encrypted-kms
AWS::SQS::QueueSQS queue has server-side encryption enabledaws-config-sqs-queue-server-side-encryption-enabled
AWS::SageMaker::NotebookInstanceSagemaker Endpoint Configuration Kms Key Configuredaws-config-sagemaker-endpoint-configuration-kms-key-configured
AWS::SageMaker::NotebookInstanceSagemaker Notebook Instance Kms Key Configuredaws-config-sagemaker-notebook-instance-kms-key-configured
AWS::SecretsManager::SecretSecretsmanager Using Cmkaws-config-secretsmanager-using-cmk
Microsoft.Compute/disksManaged disks are encrypted with customer-managed keysazure-mcsb-managed-disk-encryption
Microsoft.DocumentDB/databaseAccountsCosmos DB uses customer-managed keysazure-mcsb-cosmosdb-encryption
Microsoft.Sql/servers/databasesAzure SQL DB uses Transparent Data Encryptionazure-mcsb-sql-tde
Microsoft.Storage/storageAccountsStorage account encrypts data at restazure-mcsb-dp-04-storage-encryption
bigquery.googleapis.com/DatasetBigQuery datasets encrypted with CMEKgcp-cis-bigquery-cmek
compute.googleapis.com/DiskPersistent disks encrypted with CMEKgcp-cis-compute-disk-cmek
sqladmin.googleapis.com/InstanceCloud SQL instances use CMEK encryptiongcp-cis-cloudsql-encryption
storage.googleapis.com/BucketCloud Storage buckets encrypted with CMEKgcp-cis-storage-bucket-cmek