Test: Customer Data in Cloud Storage is Encrypted at Rest

ASSOCIATED DRATA CONTROL

This test is part of the Customer Data is Encrypted at Rest control that ensures your company stores customer data in databases that are encrypted at rest.

WHAT TO DO IF A TEST FAILS

If Drata finds that stored cloud data is not encrypted at rest the test will fail. With a failed test you will receive a list of cloud data stores that do not have encryption enabled.

To remediate a failed test, you will need to properly configure these cloud data stores to enable encryption.

STEPS FOR PASSING

To ensure a validated state when testing for encryption at rest, please follow the below steps. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology	Provider Steps
AWS - S3	Within AWS, go to the Amazon S3 service Create bucket. Note: Starting January 5, 2023, objects in Amazon S3 are encrypted by default. Pre-existing unencrypted buckets, created before this update, will also be encrypted, but existing objects within those buckets will not be automatically encrypted. For more information, go to Amazon S3 now automatically encrypts all new objects.
Azure	Within Azure, on Storage Accounts, click "Create" Set a subscription Set a resource group and give it a unique name Set a location (can be any) Set performance (standard) Set account kind Replication - default Networking - default Data protection - default Advanced - default Tags - default
GCP - Storage Browser	Within GCP, go to Storage > Browser Create a bucket Note: All buckets in GCP are encrypted by default so any bucket will pass