NIST 800-53 r5 · Controls catalogue · Family SC
SC-28Protection of Information at Rest
Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (31)
- aws-config-ec2-ebs-encryption-by-default EBS encryption by default is enabled AWS::EC2::Volume partial protect enforce CIS v5 §5.1.1CIS v3 §2.2.1Hub EC2.7
- aws-config-encrypted-volumes EBS volumes are encrypted at rest AWS::EC2::Volume partial protect enforce
- aws-config-rds-storage-encrypted RDS storage is encrypted AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.1CIS v3 §2.3.1Hub RDS.3
- aws-config-s3-bucket-server-side-encryption-enabled S3 bucket has default server-side encryption AWS::S3::Bucket partial protect enforce
- aws-config-dynamodb-table-encryption-enabled DynamoDB table uses encryption at rest with KMS AWS::DynamoDB::Table partial protect enforce
- aws-config-efs-encrypted-check EFS file system is encrypted AWS::EFS::FileSystem partial protect enforce CIS v5 §2.3.1CIS v3 §2.4.1Hub EFS.8
- aws-config-sns-encrypted-kms SNS topic uses KMS encryption at rest AWS::SNS::Topic partial protect enforce
- aws-config-sqs-queue-server-side-encryption-enabled SQS queue has server-side encryption enabled AWS::SQS::Queue partial protect enforce
- aws-config-eks-cluster-secrets-encrypted EKS cluster encrypts Kubernetes secrets at rest with KMS AWS::EKS::Cluster partial protect enforce
- azure-mcsb-dp-04-storage-encryption Storage account encrypts data at rest Microsoft.Storage/storageAccounts partial protect enforce
- azure-mcsb-managed-disk-encryption Managed disks are encrypted with customer-managed keys Microsoft.Compute/disks partial protect enforce
- azure-mcsb-sql-tde Azure SQL DB uses Transparent Data Encryption Microsoft.Sql/servers/databases partial protect enforce
- azure-mcsb-cosmosdb-encryption Cosmos DB uses customer-managed keys Microsoft.DocumentDB/databaseAccounts partial protect enforce
- gcp-cis-compute-disk-cmek Persistent disks encrypted with CMEK compute.googleapis.com/Disk partial protect enforce
- gcp-cis-storage-bucket-cmek Cloud Storage buckets encrypted with CMEK storage.googleapis.com/Bucket partial protect enforce
- gcp-cis-bigquery-cmek BigQuery datasets encrypted with CMEK bigquery.googleapis.com/Dataset partial protect enforce
- gcp-cis-cloudsql-encryption Cloud SQL instances use CMEK encryption sqladmin.googleapis.com/Instance partial protect enforce
- aws-config-api-gw-cache-enabled-and-encrypted Api Gw Cache Enabled And Encrypted AWS::ApiGateway::Stage partial protect enforce
- aws-config-cloud-trail-encryption-enabled Cloud Trail Encryption Enabled AWS::CloudTrail::Trail partial detect enforce CIS §3.5Hub CloudTrail.2
- aws-config-codebuild-project-artifact-encryption Codebuild Project Artifact Encryption AWS::CodeBuild::Project partial protect enforce
- aws-config-dynamodb-table-encrypted-kms Dynamodb Table Encrypted Kms AWS::DynamoDB::Table partial protect enforce
- aws-config-elasticsearch-encrypted-at-rest Elasticsearch Encrypted At Rest AWS::OpenSearchService::Domain partial protect enforce
- aws-config-kinesis-stream-encrypted Kinesis Stream Encrypted AWS::Kinesis::Stream partial protect enforce
- aws-config-opensearch-encrypted-at-rest Opensearch Encrypted At Rest AWS::OpenSearchService::Domain partial protect enforce
- aws-config-rds-snapshot-encrypted Rds Snapshot Encrypted AWS::RDS::DBInstance partial recover enforce
- aws-config-redshift-cluster-configuration-check Redshift Cluster Configuration Check AWS::Redshift::Cluster partial protect enforce
- aws-config-redshift-cluster-kms-enabled Redshift Cluster Kms Enabled AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-default-encryption-kms S3 Default Encryption Kms AWS::S3::Bucket partial protect enforce
- aws-config-sagemaker-endpoint-configuration-kms-key-configured Sagemaker Endpoint Configuration Kms Key Configured AWS::SageMaker::NotebookInstance partial protect enforce
- aws-config-sagemaker-notebook-instance-kms-key-configured Sagemaker Notebook Instance Kms Key Configured AWS::SageMaker::NotebookInstance partial protect enforce
- aws-config-secretsmanager-using-cmk Secretsmanager Using Cmk AWS::SecretsManager::Secret partial protect enforce
ATT&CK techniques this control mitigates (42)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1025 Data from Removable Media Collection
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.004 Customer Relationship Management Software Collection
- T1213.005 Messaging Applications Collection
- T1530 Data from Cloud Storage Collection
- T1550.001 Application Access Token Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.003 Shell History Credential Access
- T1552.004 Private Keys Credential Access
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.003 Runtime Data Manipulation Impact
- T1567 Exfiltration Over Web Service Exfiltration
- T1599 Network Boundary Bridging Defense Impairment
- T1599.001 Network Address Translation Traversal Defense Impairment
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,259 | Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media. |
CWE-522 | Insufficiently Protected Credentials | 1,529 | Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores. |
CWE-312 | Cleartext Storage of Sensitive Information | 924 | Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media. |
CWE-922 | Insecure Storage of Sensitive Information | 422 | The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class. |
CWE-256 | Plaintext Storage of a Password | 203 | Protection of passwords and credentials at rest forces encryption or equivalent controls instead of plaintext storage. |
CWE-313 | Cleartext Storage in a File or on Disk | 26 | Mandating protection of files and disk-stored data at rest prevents the specific weakness of cleartext storage on disk or in files. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24263 | 2.0 | 9.8 | 0.0062 | good |
CVE-2025-27650 | 2.0 | 9.8 | 0.0013 | good |
CVE-2026-22906 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-25650 | 1.8 | 9.1 | 0.0028 | good |
CVE-2021-47961 | 1.6 | 8.1 | 0.0005 | good |
CVE-2024-41336 | 1.5 | 7.5 | 0.0013 | good |
CVE-2026-35467 | 1.5 | 7.5 | 0.0003 | good |
CVE-2025-27685 | 1.5 | 7.5 | 0.0008 | good |
CVE-2026-33867 | 1.5 | 7.5 | 0.0001 | good |
CVE-2026-35556 | 1.5 | 7.5 | 0.0004 | good |
CVE-2025-21102 | 1.5 | 7.5 | 0.0005 | good |
CVE-2019-25279 | 1.5 | 7.5 | 0.0007 | good |
CVE-2025-36258 | 1.4 | 7.1 | 0.0001 | good |
CVE-2024-23942 | 1.4 | 7.1 | 0.0003 | good |
CVE-2024-55928 | 1.3 | 6.5 | 0.0016 | good |
CVE-2025-22896 | 4.0 | 8.6 | 0.3743 | good |
CVE-2025-12539 | 2.0 | 10.0 | 0.0072 | good |
CVE-2025-27154 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-27663 | 2.0 | 9.8 | 0.0033 | partial |
CVE-2025-0497 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-0498 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-27595 | 2.0 | 9.8 | 0.0010 | good |
CVE-2026-21660 | 2.0 | 9.8 | 0.0005 | good |
CVE-2025-55619 | 2.0 | 9.8 | 0.0014 | good |
CVE-2025-52579 | 1.9 | 9.4 | 0.0020 | good |