Skip to main content
All CollectionsControl Tests
Test: Customer Data in Cloud Storage is Encrypted at Rest
Test: Customer Data in Cloud Storage is Encrypted at Rest

Drata inspects your company cloud storage configuration to ensure customer data is encrypted at rest when stored.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago


This test is part of the Customer Data is Encrypted at Rest control that ensures your company stores customer data in databases that are encrypted at rest.


If Drata finds that stored cloud data is not encrypted at rest the test will fail. With a failed test you will receive a list of cloud data stores that do not have encryption enabled.

To remediate a failed test, you will need to properly configure these cloud data stores to enable encryption.


To ensure a validated state when testing for encryption at rest, please follow the below steps. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology

Provider Steps

AWS - S3

  1. Within AWS, go to the Amazon S3 service

  2. Create bucket.

Note: Starting January 5, 2023, objects in Amazon S3 are encrypted by default. Pre-existing unencrypted buckets, created before this update, will also be encrypted, but existing objects within those buckets will not be automatically encrypted. For more information, go to Amazon S3 now automatically encrypts all new objects.


  1. Within Azure, on Storage Accounts, click "Create"

    1. Set a subscription

    2. Set a resource group and give it a unique name

    3. Set a location (can be any)

    4. Set performance (standard)

    5. Set account kind

    6. Replication - default

    7. Networking - default

    8. Data protection - default

    9. Advanced - default

    10. Tags - default

GCP - Storage Browser

  1. Within GCP, go to Storage > Browser

  2. Create a bucket

Note: All buckets in GCP are encrypted by default so any bucket will pass

Did this answer your question?