We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

Soc2 Encryption at Rest in AWS S3

S3 comes with essentially 3 types of encryption at rest.

Server-side (AES256) with no keys

KMS with with AWS supplied key that can only rotate every 3 years

KMS with a Customer Management Key (CMK), that can be rotated once a year.


What is the minimal level of encrytion on S3 considered SOC2 compliant?

Comments

  • Hey Tom,

    Someone from the Customer Success team likely already reached out to you with this answer, but in case you're still looking (and for the benefit of anyone else viewing), here's an answer from our Labs team:

    "There are no specific defined requirements in SOC 2 with respect to the minimal level of encryption on S3 to achieve compliance. The standard just recommends a stronger form of encryption, therefore the following options are the recommendations:

    • KMS with AWS supplied key that can only rotate every 3 years.
    • KMS with a Customer Management Key (CMK), that can be rotated once a year.

    If you already have the AC8.8 -Encryption and Key Management in scope, than an AWS supplied key works better."

    Hope that helps clear things up!