Skip to main content
All CollectionsControl Tests
Test: Customer Data is Encrypted at Rest
Test: Customer Data is Encrypted at Rest

Drata inspects your company configuration of the database(s) storing customer data to determine if the data is encrypted at rest.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago


This test is part of the Customer Data is Encrypted at Rest control that ensures your company stores customer data in databases that are encrypted at rest.


If Drata finds production databases that are not encrypted at rest the test will fail. With a failed test you will receive a list of production databases that do not have encryption enabled.

To remediate a failed test, you will need to properly configure these databases to enable encryption.


To ensure a validated state when testing for encryption at rest, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology

Provider Steps


  1. Within Atlas, create an organization project if there is none

  2. Click New Project and give it a unique name!

  3. On a project, click Create a New Cluster

  4. Any pricing tier / configuration will pass this test

  5. Click Create

AWS - DynamoDB

By default, DynamoDB is fully encrypted at rest.

AWS - OpenSearch (formerly Elasticsearch)

Step 1 - Choose Deployment Type

  1. Within AWS, go to OpenSearch service (formerly Elasticsearch)

  2. Click on 'Create a new domain'

  3. Choose deployment type (Development and Testing) [One availability zone ]

    1. Choose latest Version under 'OpenSearch Version'

    2. Choose a name for 'OpenSearch domain name'

    3. Unless needed, custom endpoint can be left blank

Step 2 - Configure Domain

  1. Data Nodes: Instance Type - t3.small.elasticsearch (smallest instance type)

  2. Number of Nodes: 1

  3. Data nodes storage: leave everything as is

  4. Dedicated master nodes: leave everything as is

Step 3 - Configure Access and Security

  1. Select VPC Access

  2. Set VPC

  3. Set Subnet

  4. Set Security Groups

  5. Uncheck Enable fine-grained access control

  6. Set Access Policy: Domain access policy - "Allow open access to the domain"

  7. Set Encryption: Click on "Enable encryption of data at rest"

  8. Click on Next button

  9. Click on Confirm button

AWS - Elasticache for Redis

  1. Within AWS, go to ElastiCache service

  2. Click on Redis Clusters

  3. Click on Create Redis cluster - note that any settings not explicitly mentioned are optional/configurable for your business needs

    1. Configure and create a new cluster

    2. Enter a name

    3. Location - Amazon Cloud

    4. Enable Multi-AZ

    5. Number of replicas: at least 1

    6. Click Next

    7. Click on Enable checkbox for Encryption at rest

  4. Click Next

  5. Click Create


  1. Within GCP, go to SQL service

  2. Create an instance

  3. Click on a database engine

    1. Enter an Instance ID

    2. Set a password for the root user

    3. Select a region

    4. Select any zone

    5. Set a database version

    6. Click on Show configuration options

    7. Open the ""Backups, recovery, and high availability""

    8. DO NOT click on Automate backups

    9. Open the ""Machine type and storage""

    10. Select a machine size

    11. Disable the ""Enable automatic storage increases""

    12. Click on Create button

GCP - Datastore

  1. Within GCP, go to the Datastore service

  2. Create an Entity

  3. Click on Create button

GCP - Memorystore

  1. Within GCP, go to Google Cloud Memorystore for Redis API service

  2. Click on Enable

  3. Click on Create

Did this answer your question?