Controls
What cloud configurations do I need to worry about to implement encryption at rest?
This page maps high-level controls (NIST 800-53 r5, proprietary framework, more later) to the specific cloud-platform configurations that satisfy them. Future expansion: live findings from CSPM tools, CVE coverage reverse-lookup, and threat-technique mitigation paths.
Catalogue summary
2
Frameworks
49
Implementations
17
Cloud platforms (encryption at rest)
| Framework | Rows | Composition |
|---|---|---|
| NIST_800-53_r5 | 1,216 | control (324), family (20), enhancement (872) |
| Proprietary_25_Family | 324 | family (25), control (97), subcontrol (202) |
Encryption at rest — required cloud configurations
The implementations below all satisfy NIST 800-53 r5 SC-28 (Protection of Information at Rest). Pick the platforms relevant to your stack; each row is a specific check you need to keep green.
| Platform | Configuration | Implementation ID |
|---|---|---|
| AWS::DynamoDB::Table | DynamoDB table uses encryption at rest with KMS | aws-config-dynamodb-table-encryption-enabled |
| AWS::EC2::Volume | EBS encryption by default is enabled | aws-config-ec2-ebs-encryption-by-default |
| AWS::EC2::Volume | EBS volumes are encrypted at rest | aws-config-encrypted-volumes |
| AWS::EFS::FileSystem | EFS file system is encrypted | aws-config-efs-encrypted-check |
| AWS::EKS::Cluster | EKS cluster encrypts Kubernetes secrets at rest with KMS | aws-config-eks-cluster-secrets-encrypted |
| AWS::ElastiCache::ReplicationGroup | ElastiCache Redis encrypts data at rest | aws-config-elasticache-redis-cluster-automatic-backup-check |
| AWS::RDS::DBInstance | RDS storage is encrypted | aws-config-rds-storage-encrypted |
| AWS::S3::Bucket | S3 bucket has default server-side encryption | aws-config-s3-bucket-server-side-encryption-enabled |
| AWS::SNS::Topic | SNS topic uses KMS encryption at rest | aws-config-sns-encrypted-kms |
| AWS::SQS::Queue | SQS queue has server-side encryption enabled | aws-config-sqs-queue-server-side-encryption-enabled |
| Microsoft.Compute/disks | Managed disks are encrypted with customer-managed keys | azure-mcsb-managed-disk-encryption |
| Microsoft.DocumentDB/databaseAccounts | Cosmos DB uses customer-managed keys | azure-mcsb-cosmosdb-encryption |
| Microsoft.Sql/servers/databases | Azure SQL DB uses Transparent Data Encryption | azure-mcsb-sql-tde |
| Microsoft.Storage/storageAccounts | Storage account encrypts data at rest | azure-mcsb-dp-04-storage-encryption |
| bigquery.googleapis.com/Dataset | BigQuery datasets encrypted with CMEK | gcp-cis-bigquery-cmek |
| compute.googleapis.com/Disk | Persistent disks encrypted with CMEK | gcp-cis-compute-disk-cmek |
| sqladmin.googleapis.com/Instance | Cloud SQL instances use CMEK encryption | gcp-cis-cloudsql-encryption |
| storage.googleapis.com/Bucket | Cloud Storage buckets encrypted with CMEK | gcp-cis-storage-bucket-cmek |