Encryption at Rest as the 2026 Default

Most clouds now offer encryption-by-default. The remaining configuration to enforce and verify.

Default-on encryption

Default-on encryption removes the per-resource decision entirely. The team configures the account once, and every resource provisioned afterwards inherits the encrypted-by-default setting.

• Account-level setting. AWS, GCP, and Azure all expose a “new resources encrypted by default” toggle for major services. Set it at account creation and never revisit.
• Default-encryptable services. S3, EBS, RDS, DynamoDB all support default-on. Enable each one explicitly so the audit trail is clear.
• Cloud-managed vs customer-managed split. Cloud-managed keys cover most workloads. Higher-sensitivity tiers move to customer-managed keys with documented rotation.
• IaC-enforced. Encode the default in Terraform. Manual console toggles drift; code does not.

Verifying encryption

Default-on does not verify itself. Config rules and quarterly audits catch the rare cases where a resource slips past the default or a manual override turns it off.

• Config rules per resource type. AWS Config “encryption-enabled” rules flag any non-compliant resource as it appears.
• Quarterly audit. Run an unencrypted-resource scan once per quarter. Anything found becomes an immediate remediation ticket.
• Compliance report. Per-resource-type encryption posture for the auditor. Encryption questions in the SOC2 review disappear.
• Auto-remediation. Encrypt-on-detect rules close the gap faster than humans. A resource is unencrypted for minutes, not days.

KMS for sensitive data

KMS handles the high-sensitivity tier. Customer-managed keys grant the team explicit control over rotation, access policy, and per-tenant blast-radius scoping.

• Customer-managed keys. The team owns the key lifecycle for the highest-sensitivity data. Cloud-managed defaults cover everything else.
• Per-tenant or per-application granularity. One compromised key affects one tenant, not the whole platform.
• Access logging. CloudTrail logs every key operation. Suspicious patterns surface in the same review pipeline as the rest of the audit log.
• Documented rotation cadence. Each key carries a written rotation policy. Auditors check the policy, not the key.

Why default-on matters

Default-on is a multiplier on every later security investment. The cost is near zero and the cleanup it removes is endless.

• Cost is minimal. Cloud providers absorb the encryption overhead. The direct cost is rounding error.
• Clean compliance posture. Auditor-verifiable default-on status removes a recurring question from every SOC2 cycle.
• Defence in depth. Combined with in-transit encryption, attackers face two layers instead of one.
• No-exception policy. A documented “no unencrypted production data” rule catches edge cases that slip past Config rules.