Soc2 Encryption at Rest in AWS S3

S3 comes with essentially 3 types of encryption at rest.

Server-side (AES256) with no keys

KMS with with AWS supplied key that can only rotate every 3 years

KMS with a Customer Management Key (CMK), that can be rotated once a year.


What is the minimal level of encrytion on S3 considered SOC2 compliant?

Comments

  • Hey Tom,

    Someone from the Customer Success team likely already reached out to you with this answer, but in case you're still looking (and for the benefit of anyone else viewing), here's an answer from our Labs team:

    "There are no specific defined requirements in SOC 2 with respect to the minimal level of encryption on S3 to achieve compliance. The standard just recommends a stronger form of encryption, therefore the following options are the recommendations:

    • KMS with AWS supplied key that can only rotate every 3 years.
    • KMS with a Customer Management Key (CMK), that can be rotated once a year.

    If you already have the AC8.8 -Encryption and Key Management in scope, than an AWS supplied key works better."

    Hope that helps clear things up!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!