Default encryption set on all buckets
Demonstrate that all cloud storage buckets within the organization's environment are configured with default encryption enabled, ensuring data at rest is automatically encrypted upon write operations.
Description
What this control does
This control ensures that all cloud storage buckets (e.g., AWS S3, Azure Blob Storage, GCP Cloud Storage) are configured with default encryption enabled, either using server-side encryption with platform-managed keys (SSE-S3, SSE-AES256) or customer-managed keys (SSE-KMS, CMK). Default encryption applies to all objects stored in the bucket unless explicitly overridden, protecting data at rest from unauthorized physical access to storage media, insider threats, and accidental exposure. This control is foundational for compliance with data protection regulations and reduces reliance on application-layer encryption logic.
Control objective
What auditing this proves
Demonstrate that all cloud storage buckets within the organization's environment are configured with default encryption enabled, ensuring data at rest is automatically encrypted upon write operations.
Associated risks
Risks this control addresses
- Unauthorized access to unencrypted data by malicious actors who gain access to storage backend systems or decommissioned physical media
- Data exposure through misconfigured bucket permissions where unencrypted objects are publicly accessible or shared with unauthorized third parties
- Insider threats from cloud provider personnel or privileged users accessing raw storage without encryption protections
- Compliance violations under regulations such as GDPR, HIPAA, PCI DSS, or CCPA requiring encryption of sensitive data at rest
- Loss of customer trust and reputational damage following data breach disclosures involving plaintext sensitive information
- Forensic exposure where deleted or archived unencrypted objects remain recoverable from storage snapshots or backups without cryptographic protection
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all cloud storage buckets across all accounts, regions, and subscriptions within the organization's cloud environment using cloud provider APIs or infrastructure-as-code repositories.
- Review the organization's data encryption policy and standards to identify required encryption algorithms, key management approaches, and any documented exceptions for specific bucket types.
- Query each cloud provider's API or management console to extract current encryption configuration settings for all identified buckets, including encryption type (SSE-S3, SSE-KMS, AES256, etc.) and key management method.
- Identify any buckets where default encryption is disabled or not configured, documenting bucket name, account ID, region, creation date, and data classification level if available.
- Select a representative sample of buckets stratified by business unit, data classification, and cloud provider, then verify encryption settings through direct console inspection or CLI commands.
- For buckets using customer-managed keys, validate that key rotation policies are enabled and that key access policies restrict usage to authorized services and principals only.
- Review cloud audit logs (CloudTrail, Azure Activity Log, Cloud Audit Logs) for the past 90 days to identify any PutBucketEncryption or DeleteBucketEncryption API calls that disabled encryption on existing buckets.
- Test a sample bucket by uploading a test object without explicit encryption parameters and confirm through object metadata inspection that server-side encryption was automatically applied.
Where this control is tested