Encrypt data at rest is one of the major 101 of security for a lot of compliance (if not all of them). I am however not sure I understand against which attack this protect me.

Let say I am in AWS cloud. I encrypt my S3 data at rest using KMS provided service.

The protection I get is, if someone get access to AWS network and were able to access the data, it would get encrypted data. So basically, I am encrypting my data in case AWS is getting hacked. Now as unlikely it is, I understand the value.

Is there another kind of attack possible that encrypting data protecting me against?

CodePudding user response：

Somebody could get access to a resource via a misconfigured IAM role for example. This is especially relevant for S3, where public access might sometimes be configured inadvertently. If you have encryption via KMS, access to the key would also have to be granted, which provides an additional layer of security, and something you can monitor and alert on easily. This also applies to your own components, some of which will be granted access to the KMS key, but others (like a frontend server) might not, because they don't need it, and you want to implement the least privilege principle to limit the impact of a potential breach. Of course you will not only rely on key access to implement access control to your resources, but it provides a single point where rules and actual access can easily be enforced and audited.

Also think about backups and disposed media. Maybe more usual to consider this when you host stuff yourself, but it is still relevant for public clouds. You probably trust AWS to manage backups and disposed media securely, but while they're pretty good at it, they might not be perfect, and you have zero control. If you store your data encrypted, there is no way for it to be recovered from a dumpster.