intermediate 25 min read compliance-security Updated: 2024-06-16

Encryption-at-Rest Enforcement Policies

Create and enforce policies to ensure all cloud storage resources are encrypted across AWS, Azure, and GCP.

What You'll Learn

🏷️ Topics Covered

encryption at rest policy automationkms encryption policy validationcloud storage encryption policiesdatabase encryption policy enforcementencryption compliance automationstorage encryption best practices

📋 Prerequisites

  • Access to at least one major cloud provider (AWS, Azure, or GCP).
  • Familiarity with cloud storage services (e.g., S3, Blob Storage, EBS).
  • Basic understanding of encryption concepts (platform-managed vs. customer-managed keys).
  • Experience with Infrastructure as Code (IaC) tools like Terraform.

Encryption at Rest Policy Automation: Complete Security Guide

Encryption-at-rest is a critical security measure that protects your data from unauthorized access if the physical storage media is ever compromised. It involves encrypting data before it is written to disk. While most cloud providers now enable some form of default encryption, compliance frameworks (like HIPAA, PCI DSS) and robust security postures often require you to explicitly prove and enforce that all data is encrypted, sometimes with keys that you manage.

KMS Encryption Policy Validation: AWS Implementation Tutorial

In AWS, you can enforce encryption on services like S3 and EBS using IAM policies, SCPs, or resource-specific policies.

Example: S3 Bucket Policy to Enforce Encryption

This S3 bucket policy is a powerful way to enforce encryption. It explicitly denies any object upload (`s3:PutObject`) if the request does not include the `x-amz-server-side-encryption` header, ensuring all new objects are encrypted.

s3-bucket-encryption-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Cloud Storage Encryption Policies: Azure Security Automation

Azure Policy allows you to enforce encryption standards across your subscriptions. For Azure Storage, a key policy is to ensure that secure transfer (HTTPS) is required, which protects data in transit and is a prerequisite for holistic security.

Example: Azure Policy to Require Secure Transfer

This built-in policy denies the creation of any Storage Account where "secure transfer required" is not enabled.

azure-policy-require-secure-transfer.json

{
  "properties": {
    "displayName": "Secure transfer to storage accounts should be enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "This policy denies the creation of storage accounts that do not require HTTPS, a key part of an encryption-at-rest strategy.",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Database Encryption Policy Enforcement: Google Cloud Guide

A key feature of Google Cloud is that all data is encrypted at rest by default. Therefore, the policy focus often shifts to enforcing the use of Customer-Managed Encryption Keys (CMEK), which gives you more control over the keys used to encrypt your data.

Example: GCP Policy to Require CMEK for Compute Engine Disks

This Organization Policy enforces that all new Compute Engine persistent disks must be encrypted with a key from your own Cloud KMS.

gcp-org-policy-require-cmek.yaml

constraint: "constraints/compute.requireCmekEncryption"
listPolicy:
  allValues: "allow"

This policy doesn't specify which keys to use; it simply enforces that *some* CMEK must be used. You would typically combine this with more restrictive IAM policies on the KMS keys themselves.

Encryption Compliance Automation: Terraform Policy Validation

You can use OPA and Conftest to validate your Terraform code and ensure encryption properties are set correctly before you deploy.

Example: OPA Policy to Check Terraform Encryption Settings

This Rego policy checks for encryption settings across AWS, Azure, and GCP resources in a Terraform plan.

policy/encryption_check.rego

package terraform.encryption

# AWS: Deny if aws_ebs_volume is not encrypted
deny[msg] {
    resource := input.resource_changes[_]
    resource.type == "aws_ebs_volume"
    resource.change.after.encrypted != true
    msg := sprintf("EBS Volume '%s' must be encrypted.", [resource.address])
}

# Azure: Deny if azurerm_storage_account does not enforce HTTPS
deny[msg] {
    resource := input.resource_changes[_]
    resource.type == "azurerm_storage_account"
    resource.change.after.enable_https_traffic_only != true
    msg := sprintf("Azure Storage Account '%s' must enforce HTTPS traffic.", [resource.address])
}

# GCP: Deny if google_compute_disk does not specify a CMEK key
deny[msg] {
    resource := input.resource_changes[_]
    resource.type == "google_compute_disk"
    not resource.change.after.disk_encryption_key[_].kms_key_self_link
    msg := sprintf("GCP Compute Disk '%s' must use a Customer-Managed Encryption Key (CMEK).", [resource.address])
}

💡 Storage Encryption Best Practices: Multi-Cloud Implementation

Key Takeaways

  • Know Your Defaults: Understand your cloud provider's default encryption behavior. GCP encrypts everything by default, while AWS and Azure require more explicit configuration for some services.
  • Enforce at the Source: Use resource-level policies (like an S3 Bucket Policy) for granular control and organization-level policies (like SCPs or Azure Policy) for broad enforcement.
  • CMK for Compliance: When you need control over key rotation or need to prove data is inaccessible (even to the cloud provider), enforce the use of Customer-Managed Encryption Keys (CMEK/CMK).
  • Validate in CI/CD: Don't rely solely on runtime enforcement. Use PaC tools like OPA/Conftest to scan your Terraform or CloudFormation code for missing encryption settings before deployment.
  • Encrypt Everything: Your policy should cover not just block and object storage, but also databases, message queues, and any service that stores data at rest.

Ready for the Next Step?

Combine your encryption policies with other security guardrails.

🛡️ Implementing CIS Benchmarks

See how encryption fits into a broader compliance framework →

🌍 Data Sovereignty Policies

Combine encryption policies with location restrictions →

⚓ Encrypting K8s Secrets

Learn about etcd encryption and secrets management →