Cloud & Infrastructure Practical By Samson Tanimawo, PhD Published Jan 13, 2026 4 min read

Encryption at Rest as the 2026 Default

Most clouds now offer encryption-by-default. The remaining configuration to enforce and verify.

Default-on encryption

Account-level setting: new resources encrypted by default. AWS, GCP, Azure all support this for major services.

S3, EBS, RDS, DynamoDB all default-encryptable. Enable at account creation; new resources inherit.

Key management: AWS-managed keys for default; customer-managed (CMK) for higher sensitivity.

Verifying encryption

AWS Config rules per resource type: encryption-enabled. Non-compliant resources flagged.

Periodic audit: any resources not encrypted? Drift surfaces; remediate.

Quarterly compliance report. Encryption posture per resource type.

KMS for sensitive data

Customer-managed keys for highest-sensitivity data. Customer controls rotation and access.

Per-tenant or per-application keys. Granular blast radius.

Audit: every KMS access logged. Suspicious patterns surfaced.

Why default-on matters

Cost is minimal at default. Cloud providers absorb most of it.

Compliance posture clean. Auditors verify default-on; encryption questions disappear.

Defence in depth. Encryption in transit plus at rest covers two attack vectors.