Skip to main content

💼 SC-28 Protection of Information at Rest

  • ID: /frameworks/nist-sp-800-53-r5/sc/28

Description

Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/05
    • /frameworks/aws-fsbp-v1.0.0/cloudtrail/02
    • /frameworks/aws-fsbp-v1.0.0/codebuild/03
    • /frameworks/aws-fsbp-v1.0.0/data-firehouse/01
    • /frameworks/aws-fsbp-v1.0.0/documentdb/01
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/03
    • /frameworks/aws-fsbp-v1.0.0/ec2/03
    • /frameworks/aws-fsbp-v1.0.0/ec2/07
    • /frameworks/aws-fsbp-v1.0.0/efs/01
    • /frameworks/aws-fsbp-v1.0.0/elasticache/04
    • /frameworks/aws-fsbp-v1.0.0/es/01
    • /frameworks/aws-fsbp-v1.0.0/kinesis/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/06
    • /frameworks/aws-fsbp-v1.0.0/opensearch/01
    • /frameworks/aws-fsbp-v1.0.0/rds/03
    • /frameworks/aws-fsbp-v1.0.0/rds/04
    • /frameworks/aws-fsbp-v1.0.0/rds/27
    • /frameworks/aws-fsbp-v1.0.0/redshift/10
    • /frameworks/aws-fsbp-v1.0.0/sqs/01
  • Internal
    • ID: dec-c-98864c40

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.5] API Gateway REST API cache data should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.2] CloudTrail should have encryption at-rest enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CodeBuild.3] CodeBuild S3 logs should be encryptedno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DataFirehose.1] Firehose delivery streams should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.7] EBS default encryption should be enabled11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.4] ElastiCache replication groups should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.1] Elasticsearch domains should have encryption at-rest enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Kinesis.1] Kinesis streams should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.1] Neptune DB clusters should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.6] Neptune DB cluster snapshots should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.1] OpenSearch domains should have encryption at rest enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.3] RDS DB instances should have encryption at-rest enabled11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.27] RDS DB clusters should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.10] Redshift clusters should be encrypted at restno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SQS.1] Amazon SQS queues should be encrypted at restno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)1724no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)124no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 SC-28(1) Protection of Information at Rest _ Cryptographic Protection1014no data
💼 SC-28(2) Protection of Information at Rest _ Offline Storageno data
💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys1no data

Policies (20)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢1🟢 x6no data
🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢1🟢 x6no data
🛡️ AWS EBS Attached Volume is not encrypted🟢1🟢 x6no data
🛡️ AWS EFS File System encryption is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Instance Encryption is not enabled🟢1🟢 x6no data
🛡️ Azure App Service FTP deployments are not disabled🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled🟢1🟢 x6no data
🛡️ Azure SQL Server Transparent Data Encryption Protector is not encrypted with Customer-managed key🟢1🟢 x6no data
🛡️ Azure Storage Account Require Infrastructure Encryption is not enabled🟢1🟢 x6no data
🛡️ Azure Storage Account With Critical Data is not encrypted with customer managed key🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google BigQuery Dataset is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google BigQuery Table is not encrypted with Customer-Managed Encryption Key (CMEK)🟢1🟢 x6no data
🛡️ Google Dataproc Cluster is not encrypted using Customer-Managed Encryption Key🟢1🟢 x6no data
🛡️ Google GCE Disk for critical VMs is not encrypted with Customer-Supplied Encryption Key (CSEK)🟢1🟢 x6no data
🛡️ Google GCE Instance Confidential Compute is not enabled🟢1🟢 x6no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-0bdcd2761
✉️ dec-x-5c3c20671
✉️ dec-x-6ba5ecd21
✉️ dec-x-6ed261671
✉️ dec-x-14f5fc251
✉️ dec-x-230b5e351
✉️ dec-x-966d31831
✉️ dec-x-995424b72
✉️ dec-x-aef11ebd1
✉️ dec-x-c0a7793e1
✉️ dec-x-c2bf987a1
✉️ dec-x-e9e997041