Is data at rest encrypted with customer-managed keys where possible?
Demonstrate that data at rest is encrypted using customer-managed keys across all feasible storage services, with documented key management processes and access controls enforced throughout the key lifecycle.
Description
What this control does
This control ensures that data stored at rest in cloud environments and on-premises systems is encrypted using cryptographic keys managed directly by the organization (customer-managed keys or CMKs), rather than relying solely on provider-managed default encryption. Customer-managed keys give organizations control over key lifecycle, rotation policies, access permissions, and the ability to revoke access independently of the cloud service provider. This approach enhances data sovereignty, supports regulatory compliance requirements, and reduces risk from provider-side key compromise or unauthorized provider access.
Control objective
What auditing this proves
Demonstrate that data at rest is encrypted using customer-managed keys across all feasible storage services, with documented key management processes and access controls enforced throughout the key lifecycle.
Associated risks
Risks this control addresses
- Unauthorized access to encrypted data by cloud provider personnel with access to provider-managed keys
- Inability to meet regulatory data sovereignty requirements when encryption keys remain under third-party control
- Prolonged exposure of encrypted data following a provider-side key compromise due to lack of independent key rotation capability
- Forensic or legal discovery challenges when the organization cannot definitively prove control over encryption key material
- Data exfiltration by malicious insiders exploiting default provider-managed key permissions that bypass customer audit trails
- Cross-tenant data exposure risks in multi-tenant environments where provider-managed keys may be shared or improperly isolated
- Inability to execute timely cryptographic erasure (crypto-shredding) when data deletion requirements arise from privacy incidents or right-to-be-forgotten requests
Testing procedure
How an auditor verifies this control
- Inventory all data-at-rest storage services across cloud platforms and on-premises infrastructure, including databases, object storage, block storage, backup repositories, and file shares.
- Review encryption configuration for each identified storage resource to determine whether encryption uses customer-managed keys, provider-managed keys, or no encryption.
- Obtain and examine key management service (KMS) configuration exports showing customer-managed key definitions, key policies, and associated resource bindings.
- Select a representative sample of storage resources from each service type and verify that encryption keys reference customer-managed KMS keys rather than default provider keys.
- Review key access policies and IAM permissions to confirm that only authorized personnel and services can use, manage, or administer customer-managed keys.
- Examine key rotation policies and logs to verify that customer-managed keys are rotated according to organizational standards and regulatory requirements.
- Identify any storage services where customer-managed keys are technically supported but not implemented, and review documented business or technical justifications for exceptions.
- Validate that monitoring and alerting mechanisms are configured to detect unauthorized key usage, key policy modifications, or encryption configuration changes on protected resources.