SEC 1. How are you encrypting and protecting your data at rest?

A traditional security control is to encrypt data at rest. AWS supports this using both client-side (e.g., SDK-supported, OS-supported, Windows Bitlocker, dm-crypt, Trend Micro SafeNet, etc.) and server-side (e.g., Amazon S3 ). You can also use Server-Side Encryption (SSE) and Amazon Elastic Block Store Encrypted Volumes, etc.

Best practices:

 Data at rest is encrypted using AWS service specific controls (e.g., Amazon S3 SSE, Amazon EBS encrypted volumes, Amazon Relational Database Service (RDS) Transparent Data Encryption (TDE), etc.).
 Data at rest is encrypted using client side techniques.
 A solution from the AWS Marketplace or from an APN Partner.