Compliance

Encrypt other services at rest (queues, streams, logs, ML)

One capability across the long tail of stateful services, SQS, Kinesis, EMR, OpenSearch, AWS Backup, API Gateway caches, Glue ML, CodeBuild reports and load-balancer backends, where data lands on disk or crosses a backend hop and needs to be encrypted rather than left in the clear.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: APIGateway.5 Backup.1 CodeBuild.7 ELB.21 ELB.22 EMR.3 ES.1 ES.3 Glue.3 Kinesis.1 SQS.1

Encrypting the long tail at rest: the basics

Why a dozen unrelated-looking services share one finding

Beyond the obvious databases and disks, a long tail of AWS services quietly writes data to disk or moves it across a backend hop, and each has its own at-rest control. SQS.1 covers message queues, Kinesis.1 covers data streams, EMR.3 covers the big-data fleet's scratch and EMRFS storage, ES.1 covers OpenSearch domain storage, Backup.1 covers AWS Backup recovery points, APIGateway.5 covers the per-stage REST API cache, Glue.3 covers a machine-learning transform's learned state, and CodeBuild.7 covers test-report exports. Two more in this group, ELB.21 and ELB.22, are about the load-balancer-to-target hop rather than storage, and ES.3 covers traffic between OpenSearch nodes. Different services, one theme: data that lands somewhere readable unless you turn encryption on.

They look like a scatter of unrelated findings, but they are one capability: prove that the queues, streams, caches, logs, recovery points and ML state across the estate are encrypted under a key you can govern, and that the backend hops these services rely on are not silently downgraded to plaintext. The bytes are protected with AES-256 envelope encryption keyed by KMS; the value is the key boundary, which lets you authorise, log and revoke access without touching the workload. Message bodies, stream records, cached responses and recovery points routinely carry PII, tokens and payment data that you would never knowingly leave readable on disk.

What makes this group easy in most cases is that the fix is a flip, not a migration: SQS, Kinesis, API Gateway caching, CodeBuild reports and Glue transforms enable encryption with a single attribute change and no downtime. Two members behave like the immutable database engines and need a recreate-and-migrate: OpenSearch (ES.1) and the snapshot-inheriting recovery points behind Backup.1, where an unencrypted source produces unencrypted backups. Knowing which member is a flip and which is a migration is half the work.

In this lesson you will learn how encryption at rest is expressed across the long tail of stateful AWS services, which members are a free single-flip fix and which two behave like immutable databases and need a recreate-and-migrate, the KMS request-cost trap on high-throughput SQS and Kinesis and the data-key reuse window that defuses it, and how to stop new unencrypted resources from ever appearing. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The default that arrived in 2023, for new resources only

In June 2023 AWS quietly switched SQS so that new queues are created with server-side encryption enabled by default. The catch: only new queues. Every queue created before that date, and there are hundreds of millions across AWS, kept its original setting. Most teams assume AWS encrypts everything by default these days, run a Security Hub scan, and discover their oldest, most business-critical, most data-bearing queues are the exact ones still running unencrypted. The same long-tail pattern repeats across this whole group: Kinesis streams, OpenSearch domains and EMR clusters spun up before encryption was a default habit are precisely the ones the report flags, because the resource that predates the default never gets revisited until something forces it.

Finding unencrypted stateful services across an estate

Marco runs platform engineering at a fintech. A quarterly Security Hub scan fires findings across SQS, Kinesis and OpenSearch, mostly resources created before the team's encryption-by-default policy, with the SOC 2 evidence package due Friday.

Rather than flip everything to a customer-managed key blindly (KMS charges per request, and the payment-events queue alone handles 40 million messages a day) he starts by listing which resources are unencrypted, so he can sort the free SSE flips from the high-throughput queues that need a tuned reuse window and the OpenSearch domains that need a migration.

Start with the queues. A queue with neither encryption attribute set is the SQS.1 failure; the high-throughput ones are the cost-sensitive ones.

$ for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do echo "$q"; aws sqs get-queue-attributes --queue-url $q --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output json; done

.../payment-events

null

.../order-pipeline

{ "SqsManagedSseEnabled": "true" }

# payment-events is unencrypted and carries cardholder data: SSE-KMS with a tuned reuse window.

Inventory first: free SSE-SQS for the bulk, customer-managed keys only where regulated data justifies the audit trail and cost.

How these services encrypt at restdeep dive

Each service uses AES-256 envelope encryption keyed by KMS, but the shape of the setting differs. SQS and Kinesis wrap each message or record in a data key wrapped by a KMS key, with a choice between AWS-managed encryption (SSE-SQS, or the aws/kinesis key) and a customer-managed key that adds CloudTrail visibility and key control. EMR.3 is governed by a reusable EMR security configuration, the one template that decides at-rest encryption (EMRFS S3, local-disk LUKS and HDFS) for a whole fleet of clusters. API Gateway uses a per-method cacheDataEncrypted flag on a cache-enabled stage; Glue.3 encrypts a transform's learned state; CodeBuild.7 encrypts report-group exports to S3; Backup.1 reads the IsEncrypted flag on each recovery point. In every case, revoking the KMS key makes the data unreadable, which is the property the controls are really about.

Two behaviours catch teams out. First, encryption is forward-only on streams and queues: Kinesis StartStreamEncryption only encrypts records written after the call, so existing records stay plaintext until they age out of the retention window (a 7-day stream is not fully encrypted until a week later), and SQS re-encrypts lazily as consumers receive messages. Second, AWS Backup recovery points inherit the source's encryption state for EBS and RDS, so a KMS-protected vault is necessary but not sufficient: an unencrypted source volume produces an unencrypted recovery point regardless of the vault key, which is why Backup.1 can fail even on a perfectly configured vault.

The KMS request-cost trap lives with SSE-KMS at scale. Naively, every send and receive would trigger a KMS call, so SQS and Kinesis cache the data key for KmsDataKeyReusePeriodSeconds (default five minutes, up to 24 hours); within that window producers and consumers reuse the cached key with no KMS round-trip. A 40-million-message-a-day queue with a five-minute window makes roughly 288 KMS calls a day instead of 40 million, the difference between a few cents and thousands of dollars. With a customer-managed key, both producers and consumers also need kms:GenerateDataKey and kms:Decrypt on the key, in addition to their service permissions; forgetting that is the most common cause of the queue worked yesterday after enabling SSE-KMS. Two members in this group, ELB.21 and ELB.22, sit slightly apart: they cover the load-balancer-to-target transport and health-check hop, and ES.3 covers traffic between OpenSearch nodes, so they are about not downgrading a backend connection to plaintext rather than disk storage, but they belong to the same encrypt-everything-this-service-touches discipline.

What is the impact of leaving these services unencrypted?

The direct impact is data-at-rest exposure. Message bodies, stream records, cached API responses, ML state and recovery points sit on AWS storage protected by IAM but, without encryption, not at the storage layer. Any chain of failures that exposes that storage (a misconfigured cross-account policy, an internal AWS incident, a forensic capture during a legal hold, a CI runner with backup permissions) makes the contents readable. A single recovery point of a production database is an entire copy of customer data; an unencrypted stream of payment events is the same exposure in motion. Encryption removes the worst case.

The compliance impact is concrete and immediate. SOC 2, ISO 27001, HIPAA, PCI DSS and GDPR Article 32 all require encryption of data at rest, and auditors do not accept that IAM compensates: the requirement is explicit, and these are among the most common audit citations precisely because they are easy to verify and hard to argue. There is a breach-disclosure dimension too: most regimes reduce or waive mandatory notification when exposed data was encrypted, so turning encryption on materially shrinks the legal blast radius of any future incident.

The cost impact is small but asymmetric in two places. Most members are free to fix, so the real cost of leaving them open is reputational and procedural: a lingering encryption finding signals that the org's secure-by-default conventions are not enforced, the pattern auditors and security-conscious customers read as immaturity. The two exceptions are the KMS request charge on high-throughput SQS and Kinesis (bounded by the reuse window) and the migration effort for OpenSearch and the recovery points behind Backup.1, which grows with data volume the longer it is deferred.

How do you encrypt the long tail safely?

Work the capability as one loop rather than chasing individual service findings. The order matters: inventory and tier by data sensitivity, align IAM before any SSE-KMS flip, enable encryption (a flip for most, a migration for OpenSearch and Backup), then enforce defaults with Config rules and SCPs so the gap cannot reopen.

1. Inventory every resource and tier by data sensitivity

List queues, streams, EMR security configs, OpenSearch domains, recovery points, cache-enabled API stages, Glue transforms and CodeBuild report groups, with their current encryption state. Tier them: anything carrying PII, payment data or auth tokens goes to a customer-managed KMS key for the audit trail; everything else can take the free AWS-managed option. The tier should follow what a resource carries, not who happens to be running the sprint, and the classification doubles as the audit evidence.

2. Align IAM before any SSE-KMS flip on a busy resource

For SQS and Kinesis using a customer-managed key, update every producer and consumer role to include kms:GenerateDataKey and kms:Decrypt on the target key, and update the key policy to allow those principals. Deploy the IAM changes first, wait an IAM-propagation cycle, then enable encryption. Skipping this order means producers start failing with KMS.AccessDeniedException the moment you set the attribute.

3. Enable encryption: a flip for most, a migration for two

For SQS, Kinesis, API Gateway caching, Glue transforms, CodeBuild reports and the EMR security config, enable encryption with a single attribute change (set a sane KmsDataKeyReusePeriodSeconds on high-throughput streams to keep KMS cost flat). For OpenSearch (ES.1), encryption is create-only, so snapshot to S3, create a new domain with encryption on, restore and cut over. For Backup.1, fix the unencrypted source (an EBS or RDS instance) so future backups inherit encryption, and copy any existing unencrypted recovery point to a KMS-protected vault with start-copy-job, then delete the original. For ELB.21, ELB.22 and ES.3, switch the backend or inter-node protocol to its encrypted variant.

4. Prevent recurrence with Config rules and SCPs

Enable the AWS Config managed rules (sqs-queue-encrypted, kinesis-stream-encrypted, elasticsearch-encrypted-at-rest and the rest) so any new unencrypted resource is flagged within minutes. For prevention, attach an SCP that denies creating a queue or stream without an encryption attribute, and bake encryption defaults into your Terraform and CloudFormation modules. Engineers can still create resources, just not unencrypted ones, which converts a recurring cleanup into a one-time guardrail.

# 1. Bulk-enable free SSE-SQS on every unencrypted queue in the region.
for q in $(aws sqs list-queues --query 'QueueUrls[]' --output text); do
  state=$(aws sqs get-queue-attributes --queue-url $q \
    --attribute-names KmsMasterKeyId SqsManagedSseEnabled --query 'Attributes' --output text)
  [ -z "$state" ] && aws sqs set-queue-attributes --queue-url $q \
    --attributes '{"SqsManagedSseEnabled":"true"}' && echo "encrypted $q"
done

# 2. High-throughput stream: SSE-KMS with a 5-minute data-key reuse window to keep KMS cost flat.
aws kinesis start-stream-encryption --stream-name payment-events \
  --encryption-type KMS \
  --key-id arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

# 3. Find unencrypted recovery points (Backup.1 reads IsEncrypted per recovery point, not per vault).
aws backup list-recovery-points-by-backup-vault --backup-vault-name prod-backups \
  --query 'RecoveryPoints[?IsEncrypted==`false`].[RecoveryPointArn,ResourceType]' --output table

# 4. Confirm an at-rest Config rule is evaluating so regressions are caught automatically.
aws configservice describe-compliance-by-config-rule --config-rule-names sqs-queue-encrypted \
  --query 'ComplianceByConfigRules[].Compliance.ComplianceType'

Quick quiz

Question 1 of 5

Security Hub shows at-rest encryption failures across SQS, Kinesis, OpenSearch and AWS Backup. What is the most efficient way to think about them?

Keep learning

Go deeper on how at-rest encryption works across the services in this capability.

You can now treat the long tail of stateful services as one encryption capability rather than a scatter of findings: inventory and tier by data sensitivity, align IAM before any customer-managed-key flip, enable encryption (a free flip for most, a migration for OpenSearch and the recovery points behind AWS Backup), tune the data-key reuse window so high-throughput streams stay cheap, and lock it with Config rules and SCPs so nothing regresses. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Encrypting the long tail at rest: the cost and risk view

Mostly free flips, with two engines that need a migration and one cost trap worth modelling

For most of this group the AWS spend is zero: AWS-managed encryption (such as SSE-SQS or the EMR security-config key) is free, has no performance penalty, and clears the finding with a single attribute change. There is no savings line to chase, which is why these items get deprioritised and why they should not be: the relevant ledger is compliance and breach-disclosure risk, not cost.

There is one cost trap worth modelling. SQS and Kinesis under SSE-KMS with a customer-managed key charge per cryptographic API call, and on a high-throughput stream that can run to thousands of dollars a month if the data-key reuse window is left at a naive setting. The same parameter (KmsDataKeyReusePeriodSeconds, default five minutes) collapses a 40-million-message-a-day queue from millions of KMS calls to a few hundred, the difference between a few cents and a few thousand dollars. So this is a per-resource tiering decision: free AWS-managed encryption for the bulk, customer-managed keys with a sane reuse window only where regulated data justifies the audit trail.

Two members, OpenSearch domains and the recovery points behind Backup.1, are migrations rather than flips, so budget those as distinct one-time projects (engineering time, temporary double-running storage) and prioritise by data sensitivity. Track the count of unencrypted long-tail resources holding regulated data, trending to zero, each with an owner and a date.

This lesson is for the finance partner who sees a cluster of miscellaneous encryption findings on the security report and wants to know what they cost and how to treat them. It covers why most are free flips, where the real spend sits (KMS request charges on high-throughput streams, and the migrations for OpenSearch and Backup), how a single reuse-window parameter keeps the KMS line flat, and the guardrails that stop the gap reopening.

Fun fact

The default that arrived in 2023, for new resources only

How a finance partner triages the long tail of encryption findings

Priya, the finance partner at a fintech, sees a quarterly scan light up with at-rest encryption failures across SQS, Kinesis, OpenSearch and AWS Backup, with the SOC 2 evidence package due Friday. Her instinct is to slow the team down before they reach for a customer-managed key on everything, because she knows the one place this group has a real cost: SQS and Kinesis under SSE-KMS charge per cryptographic API call, and the payment-events queue alone handles 40 million messages a day.

She asks for the inventory split three ways. Most of the failing resources can take the free AWS-managed option (SSE-SQS, the aws/kinesis key, the EMR security-config key) with no spend and no performance penalty, so those are a no-cost flip. The high-throughput regulated streams get a customer-managed key, but only after she sees a cost model: daily volume, proposed data-key reuse window, resulting monthly KMS charge. With KmsDataKeyReusePeriodSeconds left at its five-minute default, the payment-events queue makes roughly 288 KMS calls a day instead of 40 million, the difference between a few cents and a few thousand dollars. The two OpenSearch domains and the unencrypted recovery points behind Backup.1 she books separately as one-time migration projects, prioritised by data sensitivity, so a vague compliance liability becomes a planned, costed line.

Why the long tail belongs on the risk register

The cost model is favourable in a way that is rare for security work. Most of these fixes are free flips with no performance penalty, and the compliance exposure they remove (an audit citation, a breach-disclosure liability on personal data) is large and lumpy. The right frame is not what does encryption cost, but what does an unencrypted queue or recovery point cost us if it appears in an audit finding or a breach disclosure. Priced that way, the remediation is almost always the obvious choice.

The finance role is to manage the two places where cost is real. For high-throughput SQS and Kinesis under SSE-KMS, ask for a cost model (daily volume, proposed reuse window, resulting monthly KMS charge) before approving the customer-managed-key path, because the default reuse window decides whether SSE-KMS is affordable or absurd. For OpenSearch and Backup migrations, fund them as distinct one-time projects prioritised by data sensitivity. Track the regulated-data subset, not the raw finding count, and treat any queue still unencrypted after the sprint as a documented exception with an owner.

What finance can actually do about this

Finance does not run the CLI, but it owns the framing that makes encryption a deliberate, tiered spend rather than a uniform overspend or a lingering gap. Three levers at the review cadence.

1. Approve SSE-KMS only where regulated data justifies it

The free AWS-managed option satisfies the control for most resources. Before the team enables SSE-KMS on a high-throughput queue or stream, ask for a cost model: daily volume, proposed reuse window, resulting monthly KMS charge. Approving SSE-KMS with a naive reuse window on a 40-million-message-a-day queue is how a compliance fix turns into a multi-thousand-dollar monthly line item.

2. Budget the two migrations as distinct, sensitivity-ordered projects

OpenSearch and the recovery points behind Backup.1 are migrations, not flips, with engineering time and temporary double-running storage. Fund the regulated-data ones first on a committed date and book the one-time spike separately from the free flips, so a vague compliance liability becomes a planned, costed project.

3. Treat every remaining unencrypted resource as a recorded exception

Once the sprint closes, any resource still unencrypted should carry a documented exception with an owner and a review date, not a silently ignored finding. Finance should see a list of active exceptions with their data-sensitivity tier and the reason encryption was deferred: that list is what an auditor or regulator will ask for.

Quick quiz

Question 1 of 5

For most members of this encryption group, what is the AWS spend impact of clearing the finding?

Keep learning

Go deeper on how at-rest encryption works across the services in this capability.

You have finished the finance view of encrypting the long tail at rest. You know that most of this group is a free flip with no spend, that the one real cost trap is the KMS per-request charge on high-throughput SQS and Kinesis (defused by the data-key reuse window), and that OpenSearch and the recovery points behind AWS Backup are distinct one-time migrations to budget by data sensitivity. Next time these findings land, you will ask for a cost model before approving a customer-managed key and track the regulated-data subset rather than the raw finding count.

Back to the library

Encrypting the long tail at rest: the headline

Whether sensitive data moving between services is encrypted by policy, not by accident

The services in this group, queues, streams, caches, logs, backups and ML state, carry sensitive data between and beneath the systems that make up an application: customer records, transaction events, authentication tokens, payment data. This capability checks whether that data is encrypted where it lands, and the report shows the gap as a scatter of findings across many services nobody thinks of as a database.

Most of the fixes are free, single-setting flips, so a finding here is usually a missed default rather than a hard decision. Two members (OpenSearch and the recovery points behind AWS Backup) cannot be retrofitted in place and need an owned, dated migration. The leadership signal is whether these get caught and closed by enforced defaults, or sit open waiting for someone to notice.

This is a governance decision, not a budget one. The defensible end state is that every service holding sensitive data is encrypted by policy, every exception is a documented decision with an owner, and automated guardrails stop a new unencrypted queue, stream or domain from reintroducing the gap.

A short read for the leader who needs to know what this scatter of findings exposes, why most are cheap flips while two require migration, and what a defensible end state looks like: every service holding sensitive data encrypted by policy, every exception owned, and guardrails that keep new resources compliant by default.

Fun fact

The default that arrived in 2023, for new resources only

When the data between services is encrypted by policy, not by accident

The leadership team learned an uncomfortable lesson from the calendar, not from a breach. A Security Hub scan run ahead of an audit showed that the company's oldest, most business-critical queues and streams, the ones carrying transaction events and authentication tokens, were the exact resources still running unencrypted, because AWS only switched on encryption by default for new resources and nobody had revisited the ones that predated the change. The assumption that AWS encrypts everything these days had quietly become false at the edges of the estate.

The response was to stop treating each encryption finding as a separate chore and to set one policy: every service holding sensitive data is encrypted by policy, every exception is a documented decision with an owner, and automated guardrails stop a new unencrypted queue, stream or domain from reintroducing the gap. Most of the fixes turned out to be free single-setting flips, so the policy cost almost nothing; the two members that cannot be retrofitted in place, OpenSearch and the recovery points behind AWS Backup, became owned, dated migrations. The leadership signal at the review is no longer the raw finding count but whether the gaps get caught and closed by enforced defaults, or sit open waiting for someone to notice.

Why this is on the report at all

These services are common audit citations and, for most of them, among the cheapest things to close: the free baseline option satisfies the control for the bulk, and the stronger option costs little at a sensible configuration. The risk is less the day-to-day probability of a storage breach than what happens when something does go wrong: encrypted data is often exempt from disclosure obligations, unencrypted data is not, and that difference can be a liability of material size.

What makes it a leadership item is the pattern, not the individual finding. A scatter of cheap encryption gaps that stay open or keep reopening means secure-by-default is not enforced, which tends to predict harder, costlier gaps elsewhere. The useful question is whether the policy is clear (which resources at which tier) and whether every exception is on the record.

The leadership move on this category

The handle for an executive is not to direct the implementation, but to set the policy that makes encryption the default and exceptions visible.

1. Set the policy: every service that touches sensitive data is encrypted

Make it an organisational standard that any queue, stream, cache, backup or domain carrying personal, payment or regulated data has encryption enabled, and that new resources are provisioned encrypted by default. A one-line policy removes the per-project debate and meets the obligation by design rather than by whoever remembered to check the box.

2. Accept that not every resource needs the same level

The free baseline and the auditable customer-managed key serve different purposes. Leadership does not need to mandate the stronger option everywhere; the right question is whether the classification is correct, high-sensitivity resources at the higher tier and everything else at the free tier. Uniform mandates drive unnecessary cost; tiered mandates drive appropriate control.

3. Ask for a clean exception list, not a zero-finding count

The one-line ask at the review is whether all resources carrying regulated data are encrypted and every unencrypted resource is a documented exception with an owner. A yes to both is a healthy posture. Driving the count to zero by suppressing findings without documentation is not the same thing and will not survive an audit.

Quick quiz

Question 1 of 5

Why is a finding in this encryption group usually best read as a missed default rather than a hard decision?

Keep learning

Go deeper on how at-rest encryption works across the services in this capability.

Two takeaways. This is a governance decision, not a budget one: most fixes are free single-setting flips, so a finding here is usually a missed default rather than a hard call. And the metric that matters is not a zero-finding count but a clean exception list, every resource holding regulated data encrypted, every remaining gap a documented decision with an owner, and guardrails that keep new resources compliant by default.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

ELB

EMR

EMR.3 Medium EMR security configs should encrypt at rest

ES

Glue

Glue.3 Medium Glue ML transforms should be encrypted at rest

Kinesis

Kinesis.1 Medium Kinesis streams should be encrypted at rest

SQS

SQS.1 Medium SQS messages are not encrypted at rest

Part of the learning path Encrypt everything

Encrypt other services at rest (queues, streams, logs, ML)

Encrypting the long tail at rest: the basics

The default that arrived in 2023, for new resources only

Finding unencrypted stateful services across an estate

How these services encrypt at restdeep dive

What is the impact of leaving these services unencrypted?

How do you encrypt the long tail safely?

1. Inventory every resource and tier by data sensitivity

2. Align IAM before any SSE-KMS flip on a busy resource

3. Enable encryption: a flip for most, a migration for two

4. Prevent recurrence with Config rules and SCPs

Quick quiz

Keep learning

Encrypting the long tail at rest: the cost and risk view

The default that arrived in 2023, for new resources only

How a finance partner triages the long tail of encryption findings

Why the long tail belongs on the risk register

What finance can actually do about this

1. Approve SSE-KMS only where regulated data justifies it

2. Budget the two migrations as distinct, sensitivity-ordered projects

3. Treat every remaining unencrypted resource as a recorded exception

Quick quiz

Keep learning

Encrypting the long tail at rest: the headline

The default that arrived in 2023, for new resources only

When the data between services is encrypted by policy, not by accident

Why this is on the report at all

The leadership move on this category

1. Set the policy: every service that touches sensitive data is encrypted

2. Accept that not every resource needs the same level

3. Ask for a clean exception list, not a zero-finding count

Quick quiz

Keep learning

Controls this lesson covers

APIGateway

Backup

CodeBuild

ELB

EMR

ES

Glue

Kinesis

SQS

Related compliance lessons