This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 8: How do you protect your data at rest?

Protect your data at rest by implementing multiple controls, to reduce the risk of unauthorized access or mishandling.

Resources

How Encryption Works in AWS
Securing Your Block Storage on AWS
AWS Key Management Service
Protecting Amazon S3 Data Using Encryption
Amazon EBS Encryption
Encrypting Amazon RDS Resources
AWS KMS Cryptographic Details Whitepaper
AWS Encryption SDK
AWS Crypto Tools
AWS cryptographic services and tools

Best Practices:

Implement secure key management: Encryption keys must be stored securely, with strict access control, for example, by using a key management service such as AWS KMS. Consider using different keys, and access control to the keys, combined with the AWS IAM and resource policies, to align with data classification levels and segregation requirements.
Enforce encryption at rest: Enforce your encryption requirements based on the latest standards and recommendations to help protect your data at rest.
Automate data at rest protection: Use automated tools to validate and enforce data at rest protection continuously, for example, verify that there are only encrypted storage resources.
Enforce access control: Enforce access control with least privileges and mechanisms, including backups, isolation, and versioning, to help protect your data at rest. Prevent operators from granting public access to your data.
Use mechanisms to keep people away from data: Keep all users away from directly accessing sensitive data and systems under normal operational circumstances. For example, provide a dashboard instead of direct access to a data store to run queries. Where CI/CD pipelines are not used, determine which controls and processes are required to adequately provide a normally disabled break-glass access mechanism.

Improvement Plan

Implement secure key management

Implement AWS Key Management Service (AWS KMS): AWS Key Management Service (AWS KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
Getting started: AWS Key Management Service (AWS KMS)

Consider AWS Encryption SDK: Use the AWS Encryption SDK with AWS KMS integration when your application needs to encrypt data client-side.
AWS Encryption SDK

Enforce encryption at rest

Enforce encryption at rest for Amazon S3: Implement S3 bucket default encryption.
How do I enable default encryption for an S3 bucket?

Use AWS Secrets Manager: AWS Secrets Manager is an AWS service that makes it easy for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.
AWS Secrets Manager

Configure default encryption for new EBS volumes: Specify that you want all newly created EBS volumes to be created in encrypted form, with the option of using the default key provided by AWS, or a key that you create.
Default encryption for EBS volumes

Configure encrypted Amazon Machine Images (AMIs): Copying an existing AMI with encryption enabled will automatically encrypt root volumes and snapshots.
AMIs with encrypted Snapshots

Configure Amazon RDS encryption: Configure encryption for your Amazon RDS DB clusters and snapshots at rest by enabling the encryption option.
Encrypting Amazon RDS resources

Configure encryption in additional AWS services: For the AWS services you use, determine the encryption capabilities.
AWS Documentation

Automate data at rest protection

Enforce access control

Enforce access control: Enforce access control with least privileges, including access to encryption keys.
Introduction to Managing Access Permissions to Your Amazon S3 Resources

Separate data based on different classification levels: Use different AWS accounts for data classification levels managed by AWS Organizations.
AWS Organizations

Review AWS KMS policies: Review the level of access granted in AWS KMS policies.
Overview of managing access to your AWS KMS resources

Review S3 bucket and object permissions: Regularly review the level of access granted in Amazon S3 bucket policies. Best practice is to not have publicly readable or writeable buckets. Consider using AWS Config to detect buckets that are publicly available, and Amazon CloudFront to serve content from Amazon S3.
AWS Config Rules
Amazon S3 + Amazon CloudFront: A Match Made in the Cloud

Enable Amazon S3 versioning and object lock
Using versioning
Locking Objects Using Amazon S3 Object Lock

Use Amazon S3 Inventory: Amazon S3 Inventory Amazon S3 inventory is one of the tools you can use to audit and report on the replication and encryption status of your objects.
Amazon S3 Inventory

Review Amazon EBS and AMI sharing permissions: Sharing permissions can allow images and volumes to be shared to AWS accounts external to your workload.
Sharing an Amazon EBS Snapshot
Shared AMIs

Use mechanisms to keep people away from data

Implement mechanisms to keep people away from data: Mechanisms include using dashboards, such as Amazon QuickSight, to display data to users instead of directly querying.
Amazon QuickSight

Automate configuration management: Perform actions at a distance, enforce and validate secure configurations automatically by using a configuration management service or tool. Avoid use of bastion hosts or directly accessing EC2 instances.
AWS Systems Manager
AWS CloudFormation
CI/CD Pipeline for AWS CloudFormation templates on AWS