Controls
What cloud configurations do I need to worry about to implement encryption at rest?
This page maps high-level controls (NIST 800-53 r5; more frameworks to come) to the specific cloud-platform configurations that satisfy them. Future expansion: live findings from CSPM tools, CVE coverage reverse-lookup, and threat-technique mitigation paths.
Search controls
Catalogue summary
| Framework | Rows | Composition |
|---|---|---|
| NIST_800-53_r5 | 1,216 | family (20), control (324), enhancement (872) |
Risk-prioritised gaps — top 25 CVEs
The 25 highest-Risk-Priority CVEs we have annotated, paired with their single strongest mitigating NIST 800-53 r5 control. Rows marked gap are CVEs whose top mitigation has no implementation in our catalogue — these are where automated verification is missing today. Currently 13 of 25 top-risk CVEs are gaps.
| CVE | Risk | CVSS | EPSS | Top mitigating control | Match | Impl status |
|---|---|---|---|---|---|---|
CVE-2002-0367 KEV | 10.0 | 7.8 | 0.0519 | AC-3 Access Enforcement | good | ✅ has impl |
CVE-2004-0210 KEV | 10.0 | 7.8 | 0.0761 | SI-16 Memory Protection | good | ❌ gap |
CVE-2004-1464 KEV | 10.0 | 5.9 | 0.0513 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2005-2773 KEV | 10.0 | 9.8 | 0.7409 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2006-1547 KEV | 10.0 | 7.5 | 0.5464 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2006-2492 KEV | 10.0 | 8.8 | 0.4839 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2007-0671 KEV | 10.0 | 8.8 | 0.4214 | SI-3 Malicious Code Protection | good | ❌ gap |
CVE-2007-3010 KEV | 10.0 | 9.8 | 0.9741 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2007-5659 KEV | 10.0 | 7.8 | 0.9422 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2008-0015 KEV | 10.0 | 8.8 | 0.7665 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2008-0655 KEV | 10.0 | 8.8 | 0.3684 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2008-2992 KEV | 10.0 | 7.8 | 0.9848 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2008-4250 KEV | 10.0 | 9.8 | 0.9875 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2009-0238 KEV | 10.0 | 8.8 | 0.4306 | SI-3 Malicious Code Protection | good | ❌ gap |
CVE-2009-0556 KEV | 10.0 | 8.8 | 0.6754 | SI-3 Malicious Code Protection | good | ❌ gap |
CVE-2009-0557 KEV | 10.0 | 7.8 | 0.5855 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2009-0563 KEV | 10.0 | 7.8 | 0.6308 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2009-0927 KEV | 10.0 | 8.8 | 0.9660 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2009-1123 KEV | 10.0 | 7.8 | 0.0492 | AC-3 Access Enforcement | good | ✅ has impl |
CVE-2009-1151 KEV | 10.0 | 9.8 | 0.9544 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2009-1537 KEV | 10.0 | 8.8 | 0.5093 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2009-1862 KEV | 10.0 | 7.8 | 0.2501 | SI-2 Flaw Remediation | good | ✅ has impl |
CVE-2009-2055 KEV | 10.0 | 5.9 | 0.0333 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2009-3129 KEV | 10.0 | 7.8 | 0.8573 | SI-10 Information Input Validation | good | ❌ gap |
CVE-2009-3459 KEV | 10.0 | 8.8 | 0.8647 | SI-2 Flaw Remediation | good | ✅ has impl |
KEV coverage — controls that block actively-exploited threatsAI
For each of CISA's 1,631 Known Exploited Vulnerabilities, we pick the single strongest mitigating NIST 800-53 r5 control (per-CVE LLM annotation when available, falling back to the CWE→control mapping). The table below shows the top 20 controls ranked by how many KEV CVEs they would mitigate. 1,621 of 1,631 KEV CVEs (99%) are attributed to a control.
Coverage gaps — NIST 800-53 r5 by family
For each NIST 800-53 family: how many top-level controls exist, how many have at least one cloud-config implementation in our catalogue, and how many distinct implementations target that family. Bigger numbers and longer green bars are better. Currently 33 of 324 controls (10%) have implementations across 210 impl-spec mentions; the rest are gaps in the impl catalogue, not the controls themselves.
| Family | Controls | With impl | Total impls | Coverage |
|---|---|---|---|---|
| ACAccess Control | 25 | 6 | 37 | 24% |
| ATAwareness and Training | 6 | 0 | 0 | 0% |
| AUAudit and Accountability | 16 | 5 | 21 | 31% |
| CAAssessment, Authorization, and Monitoring | 9 | 1 | 22 | 11% |
| CMConfiguration Management | 14 | 4 | 13 | 29% |
| CPContingency Planning | 13 | 3 | 16 | 23% |
| IAIdentification and Authentication | 13 | 1 | 2 | 8% |
| IRIncident Response | 10 | 0 | 0 | 0% |
| MAMaintenance | 7 | 0 | 0 | 0% |
| MPMedia Protection | 8 | 0 | 0 | 0% |
| PEPhysical and Environmental Protection | 23 | 0 | 0 | 0% |
| PLPlanning | 11 | 0 | 0 | 0% |
| PMProgram Management | 32 | 0 | 0 | 0% |
| PSPersonnel Security | 9 | 0 | 0 | 0% |
| PTPersonally Identifiable Information Processing and Transparency | 8 | 0 | 0 | 0% |
| RARisk Assessment | 10 | 0 | 0 | 0% |
| SASystem and Services Acquisition | 24 | 1 | 2 | 4% |
| SCSystem and Communications Protection | 51 | 8 | 76 | 16% |
| SISystem and Information Integrity | 23 | 4 | 21 | 17% |
| SRSupply Chain Risk Management | 12 | 0 | 0 | 0% |
Encryption at rest — required cloud configurations
The implementations below all satisfy NIST 800-53 r5 SC-28 (Protection of Information at Rest). Pick the platforms relevant to your stack; each row is a specific check you need to keep green.
| Platform | Configuration | Implementation ID |
|---|---|---|
| AWS::ApiGateway::Stage | Api Gw Cache Enabled And Encrypted | aws-config-api-gw-cache-enabled-and-encrypted |
| AWS::CloudTrail::Trail | Cloud Trail Encryption Enabled | aws-config-cloud-trail-encryption-enabled |
| AWS::CodeBuild::Project | Codebuild Project Artifact Encryption | aws-config-codebuild-project-artifact-encryption |
| AWS::DynamoDB::Table | Dynamodb Table Encrypted Kms | aws-config-dynamodb-table-encrypted-kms |
| AWS::DynamoDB::Table | DynamoDB table uses encryption at rest with KMS | aws-config-dynamodb-table-encryption-enabled |
| AWS::EC2::Volume | EBS encryption by default is enabled | aws-config-ec2-ebs-encryption-by-default |
| AWS::EC2::Volume | EBS volumes are encrypted at rest | aws-config-encrypted-volumes |
| AWS::EFS::FileSystem | EFS file system is encrypted | aws-config-efs-encrypted-check |
| AWS::EKS::Cluster | EKS cluster encrypts Kubernetes secrets at rest with KMS | aws-config-eks-cluster-secrets-encrypted |
| AWS::Kinesis::Stream | Kinesis Stream Encrypted | aws-config-kinesis-stream-encrypted |
| AWS::OpenSearchService::Domain | Elasticsearch Encrypted At Rest | aws-config-elasticsearch-encrypted-at-rest |
| AWS::OpenSearchService::Domain | Opensearch Encrypted At Rest | aws-config-opensearch-encrypted-at-rest |
| AWS::RDS::DBInstance | Rds Snapshot Encrypted | aws-config-rds-snapshot-encrypted |
| AWS::RDS::DBInstance | RDS storage is encrypted | aws-config-rds-storage-encrypted |
| AWS::Redshift::Cluster | Redshift Cluster Configuration Check | aws-config-redshift-cluster-configuration-check |
| AWS::Redshift::Cluster | Redshift Cluster Kms Enabled | aws-config-redshift-cluster-kms-enabled |
| AWS::S3::Bucket | S3 bucket has default server-side encryption | aws-config-s3-bucket-server-side-encryption-enabled |
| AWS::S3::Bucket | S3 Default Encryption Kms | aws-config-s3-default-encryption-kms |
| AWS::SNS::Topic | SNS topic uses KMS encryption at rest | aws-config-sns-encrypted-kms |
| AWS::SQS::Queue | SQS queue has server-side encryption enabled | aws-config-sqs-queue-server-side-encryption-enabled |
| AWS::SageMaker::NotebookInstance | Sagemaker Endpoint Configuration Kms Key Configured | aws-config-sagemaker-endpoint-configuration-kms-key-configured |
| AWS::SageMaker::NotebookInstance | Sagemaker Notebook Instance Kms Key Configured | aws-config-sagemaker-notebook-instance-kms-key-configured |
| AWS::SecretsManager::Secret | Secretsmanager Using Cmk | aws-config-secretsmanager-using-cmk |
| Microsoft.Compute/disks | Managed disks are encrypted with customer-managed keys | azure-mcsb-managed-disk-encryption |
| Microsoft.DocumentDB/databaseAccounts | Cosmos DB uses customer-managed keys | azure-mcsb-cosmosdb-encryption |
| Microsoft.Sql/servers/databases | Azure SQL DB uses Transparent Data Encryption | azure-mcsb-sql-tde |
| Microsoft.Storage/storageAccounts | Storage account encrypts data at rest | azure-mcsb-dp-04-storage-encryption |
| bigquery.googleapis.com/Dataset | BigQuery datasets encrypted with CMEK | gcp-cis-bigquery-cmek |
| compute.googleapis.com/Disk | Persistent disks encrypted with CMEK | gcp-cis-compute-disk-cmek |
| sqladmin.googleapis.com/Instance | Cloud SQL instances use CMEK encryption | gcp-cis-cloudsql-encryption |
| storage.googleapis.com/Bucket | Cloud Storage buckets encrypted with CMEK | gcp-cis-storage-bucket-cmek |