Benchmark: BP02 Enforce encryption at rest
Description
You should enforce the use of encryption for data at rest. Encryption maintains the confidentiality of sensitive data in the event of unauthorized access or accidental disclosure. Private data should be encrypted by default when at rest. Encryption helps maintain confidentiality of the data and provides an additional layer of protection against intentional or inadvertent data disclosure or exfiltration. Data that is encrypted cannot be read or accessed without first unencrypting the data. Any data stored unencrypted should be inventoried and controlled.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architectedStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select BP02 Enforce encryption at rest.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec08_bp02Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec08_bp02 --shareControls
- EFS file system encryption at rest should be enabled
- ES domain encryption at rest should be enabled
- OpenSearch domains should have encryption at rest enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB snapshots should be encrypted at rest
- CloudTrail trail logs should be encrypted with KMS CMK
- DynamoDB table should have encryption enabled
- EBS default encryption should be enabled
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- Glue dev endpoints CloudWatch logs encryption should be enabled
- Glue dev endpoints job bookmark encryption should be enabled
- Glue dev endpoints S3 encryption should be enabled
- Glue jobs S3 encryption should be enabled
- Glue jobs bookmarks encryption should be enabled
- Glue jobs CloudWatch logs encryption should be enabled
- SageMaker notebook instances should be encrypted using CMK
- SageMaker training jobs should be enabled with inter-container traffic encryption
- SageMaker training jobs volumes and outputs should have KMS encryption enabled