6.2. Data at Rest

Data at rest — stored on disks, in databases, in object stores — is vulnerable to physical theft, unauthorized access, and insider threats. Encryption at rest ensures that even if storage media is compromised, the data remains unreadable without the decryption key. But encryption alone isn't sufficient: data integrity mechanisms prevent silent modification, lifecycle policies ensure data doesn't persist beyond its useful life, and backup strategies ensure recovery from destruction. Think of data at rest like valuables in a safe: the safe (encryption) protects against theft, the tamper-evident seal (integrity) tells you if someone tried to open it, the automatic purge timer (lifecycle) destroys expired contents, and the backup copy in another location (replication) ensures survival. Without any one of these, your data protection is incomplete.

This section covers encryption services and strategies, integrity mechanisms, lifecycle management, and secure backup architectures.

Scenario: A company encrypts all S3 data with KMS but never enables versioning or Object Lock. An attacker who compromises an IAM role with s3:DeleteObject permission permanently destroys critical data — the encryption was irrelevant to this threat.

Reflection Question: Why does comprehensive data-at-rest protection require more than just encryption — and what threats does encryption NOT address?