Creator: Anand Sundar
Date: September 2025
Focus: Encryption-at-Rest Validation for AWS
Encryption-at-rest is one of the most fundamental security controls in cloud environments. Auditors constantly ask: "Can you prove all your data is encrypted?" If you can't answer that with real evidence, it's a problem.
This lab helps you solve that problem. Instead of screenshots or ad-hoc checks, you'll automate encryption validation across S3 buckets and EBS volumes, assess KMS usage, and generate JSON/CSV reports mapped directly to SOC 2 and NIST requirements.
By the end of this lab, you'll have:
- A Python-based tool that validates S3, EBS, and KMS encryption settings
- JSON and CSV reports mapped to SOC 2 CC6.1 and NIST SC-28
- A portfolio-ready project that demonstrates encryption evidence collection
- A clear example for interviews and LinkedIn posts
| Control | Framework | Description |
|---|---|---|
| CC6.1 | SOC 2 | Logical and physical access to information assets is limited to authorized users |
| SC-28 | NIST 800-53 | Protection of information at rest |
Before starting this lab, ensure you have:
- Python 3.8 or higher installed
- AWS Account with appropriate access
- AWS CLI installed and configured
- AWS Credentials configured (via AWS CLI or environment variables)
The following AWS IAM permissions are required for the script to run:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBuckets",
"s3:GetBucketEncryption",
"s3:GetBucketLocation",
"ec2:DescribeVolumes",
"ec2:DescribeRegions",
"kms:ListKeys",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}Create a new folder for this lab:
mkdir cloud-encryption-lab
cd cloud-encryption-labCreate a Python virtual environment to isolate dependencies:
On Windows:
python -m venv venv
venv\Scripts\activateOn macOS/Linux:
python3 -m venv venv
source venv/bin/activateInstall the required Python packages:
pip install boto3Or install from requirements.txt:
pip install -r requirements.txtEnsure your AWS credentials are configured:
aws configureOr set environment variables:
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_DEFAULT_REGION=us-east-1Run the script with your AWS profile:
python encryption_validator.pypython encryption_validator.py --region us-west-2 --output-dir ./reportsAvailable Options:
| Option | Description | Default |
|---|---|---|
--region |
AWS region to scan | us-east-1 |
--all-regions |
Scan all AWS regions | False |
--output-dir |
Output directory for reports | ./evidence |
--profile |
AWS profile name | default |
The JSON report contains detailed findings with:
{
"scan_metadata": {
"scan_date": "2025-09-10T12:00:00Z",
"aws_account_id": "123456789012",
"regions_scanned": ["us-east-1"],
"total_resources_checked": 25
},
"summary": {
"compliant": 18,
"non_compliant": 5,
"warning": 2,
"compliance_percentage": 72
},
"findings": [
{
"resource_type": "AWS::S3::Bucket",
"resource_id": "my-bucket",
"status": "PASS",
"risk_level": "LOW",
"encryption_type": "AES256",
"compliance_mappings": ["SOC 2 CC6.1", "NIST SC-28"]
}
]
}The CSV summary provides audit-ready evidence:
| Resource Type | Resource ID | Status | Risk Level | Encryption Type | SOC 2 CC6.1 | NIST SC-28 |
|---|---|---|---|---|---|---|
| S3 Bucket | my-bucket | COMPLIANT | LOW | AES256 | YES | YES |
| EBS Volume | vol-12345 | NON-COMPLIANT | HIGH | None | NO | NO |
| KMS Key | key-67890 | COMPLIANT | LOW | SSE-KMS | YES | YES |
| Risk Level | Description | Example |
|---|---|---|
| CRITICAL | No encryption on sensitive data | Unencrypted EBS volume in production |
| HIGH | Missing default encryption | S3 bucket without default encryption |
| MEDIUM | KMS key without rotation | Customer-managed KMS key, rotation disabled |
| LOW | Suboptimal configuration | Using AES256 instead of SSE-KMS |
Create test resources that are fully compliant:
# Create encrypted S3 bucket
aws s3api create-bucket --bucket my-encrypted-bucket --region us-east-1
aws s3api put-bucket-encryption --bucket my-encrypted-bucket --server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'Create resources with varying encryption states:
# Create unencrypted S3 bucket (for testing)
aws s3api create-bucket --bucket my-unencrypted-bucket --region us-east-1
# Don't set encryption - this will be flaggedTemporarily disable encryption to test detection:
# Create EBS volume without encryption
aws ec2 create-volume --availability-zone us-east-1a --size 10 --volume-type gp2Issue: S3 bucket lacks default encryption
Remediation:
aws s3api put-bucket-encryption --bucket BUCKET_NAME --server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'Issue: EBS volume not encrypted
Note: EBS volumes cannot be encrypted after creation. You must:
- Create a snapshot
- Copy the snapshot with encryption enabled
- Create a new volume from the encrypted snapshot
- Attach to the instance
Issue: Customer-managed KMS key without automatic rotation
Remediation:
aws kms enable-key-rotation --key-id KEY_IDWhen auditors request encryption evidence, provide:
- Executive Summary - The summary section from the JSON report
- Detailed Findings - The CSV report with all resources
- Risk Assessment - Resources categorized by risk level
- Remediation Plan - Action items for non-compliant resources
When asked about encryption validation, you can discuss:
- How you automated S3 encryption checks using boto3
- How you assessed EBS volume encryption across regions
- How you evaluated KMS key rotation policies
- How you mapped findings to SOC 2 and NIST requirements
- How you generated audit-ready reports in JSON and CSV formats
"Just completed a GRC Engineering lab where I automated encryption-at-rest validation in AWS. Instead of screenshots, I now have JSON and CSV evidence showing S3, EBS, and KMS compliance with SOC 2 CC6.1 and NIST SC-28 requirements.
The tool validates:
- S3 bucket default encryption
- EBS volume encryption status
- KMS key rotation status
- Generates audit-ready reports
This is how we move GRC from manual checks to engineering."
Issue: AccessDenied error
Solution: Ensure your AWS credentials have the required IAM permissions listed in the Prerequisites section.
Issue: NoCredentialsError
Solution: Run aws configure and enter your credentials, or set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
Issue: Region not found
Solution: Ensure you're using a valid AWS region code (e.g., us-east-1, us-west-2, eu-west-1).
After completing this lab, consider:
- Adding RDS encryption checks - Validate RDS instance encryption
- Implementing Lambda scans - Run on schedule with AWS Lambda
- Creating CloudWatch alarms - Alert on unencrypted resources
- Building a dashboard - Visualize compliance over time
- Adding auto-remediation - Automatically enable encryption when safe
- AWS S3 Encryption Documentation
- AWS EBS Encryption Documentation
- AWS KMS Key Rotation
- SOC 2 Trust Services Criteria
- NIST SP 800-53 Rev 5
MIT
Happy Building! 🔒☁️