Encryption at Rest Everywhere

Default encryption. The patterns and verification.

Default-on

Account-level setting. New resources inherit.

S3, EBS, RDS all support.

Verify

Config rules per resource type.

Non-compliant flagged.

KMS

Customer-managed keys for sensitive data.

Audit log on every use.