This post explains how to configure encryption at rest in AWS, Azure, and GCP to protect Controlled Unclassified Information (CUI) in accordance with NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 control SC.L2-3.13.16, with concrete, actionable steps, sample commands, enforcement suggestions, and small-business scenarios.
What the control requires and key objectives
SC.L2-3.13.16 requires that organizations ensure CUI stored in cloud storage is protected at rest. For practical compliance this means: (1) all storage resources containing CUI must be encrypted when stored, (2) encryption keys must be managed, rotated, and access-limited, and (3) evidence must exist showing encryption is enforced and monitored. Your goal is to ensure encryption-by-default, least privilege for key access, and logging/monitoring that demonstrate controls to an assessor.
High-level implementation approach (Compliance Framework practice)
Start with data classification and inventory: identify buckets, storage accounts, file shares, databases, and backups that may contain CUI. Choose an encryption model that meets your operational and compliance needs: provider-managed keys (SSE-S3 / platform-provided), customer-managed keys (CMK/CMEK), or client-side encryption (best for extra control). For CUI under NIST/CMMC, many organizations choose customer-managed keys (KMS/CMEK) to demonstrate control over key lifecycle, rotation, and separation of duties. Document decisions in your SSP (System Security Plan) and create SOPs for key lifecycle, access requests, and incidents.
AWS: Practical, actionable steps
Recommended model: Amazon S3 with Server-Side Encryption using AWS KMS (SSE-KMS) and a customer-managed CMK. Steps (short): create a KMS CMK, enable key rotation, configure default bucket encryption, enforce policies to deny unencrypted uploads, enable CloudTrail for KMS events, and capture AWS Config evidence.
# Create a KMS key (example)
aws kms create-key --description "CUI CMK" --key-usage ENCRYPT_DECRYPT
# Enable automatic key rotation (example)
aws kms enable-key-rotation --key-id
# Configure bucket default encryption to use the CMK (example)
aws s3api put-bucket-encryption --bucket my-cui-bucket \
--server-side-encryption-configuration '{
"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"arn:aws:kms:...:key/..."} }] }'
</code></pre>
Enforcement: add a bucket policy or IAM condition that denies PutObject when the request does not specify server-side encryption. Enable AWS Config rule s3-bucket-server-side-encryption-enabled and the managed KMS rules (kms-key-rotation-enabled). For evidence: export AWS Config snapshots, CloudTrail logs showing GenerateDataKey/Decrypt events, and KMS key policy and rotation status.
Azure: Practical, actionable steps
Recommended model: Azure Storage with customer-managed keys in Azure Key Vault (CMEK). Basic flow: create an Azure Key Vault, create/import a key (or use HSM-backed Key Vault), grant the Storage resource provider access via an identity, and configure the Storage Account to use the Key Vault key. Enable diagnostic logs for Storage and Key Vault and send to a Log Analytics workspace or SIEM.
# Create Key Vault and key (examples)
az keyvault create --name myCuiKv --resource-group rg --location eastus
az keyvault key create --vault-name myCuiKv --name cuiKey --protection hsm
# Assign access: grant the Storage identity permission to use the key (example)
# 1) enable a system-assigned identity on the Storage Account (in portal or az cli)
# 2) get the principalId and then:
az keyvault set-policy --name myCuiKv --object-id --key-permissions get wrapKey unwrapKey
</code></pre>
In the portal: Storage Account -> Encryption -> choose Customer-managed keys -> select Key Vault and key. For automation and compliance check: use Azure Policy to require storage accounts use customer-managed keys, enable Diagnostic Settings for both Storage and Key Vault, and collect logs for auditing. Document the Key Vault access policy and role assignments for demonstration.
GCP: Practical, actionable steps
Recommended model: Google Cloud Storage with CMEK using Cloud KMS. Steps: create a KMS key ring and crypto key, grant the Storage service account permission to use the key, and set the bucket's default encryption to the key. Monitor via Cloud Audit Logs and enforce with Organization Policies and Forseti Config Validator (or equivalent).
# Create key ring and key (example)
gcloud kms keyrings create my-keyring --location=us-central1
gcloud kms keys create cui-key --location=us-central1 --keyring=my-keyring --purpose=encryption
# Give service account permission to use the key:
gcloud kms keys add-iam-policy-binding cui-key --location=us-central1 --keyring=my-keyring \
--member="serviceAccount:service-@gs-project-accounts.iam.gserviceaccount.com" \
--role="roles/cloudkms.cryptoKeyEncrypterDecrypter"
# Set bucket default encryption to CMEK:
gsutil kms encryption -k projects/PROJECT/locations/LOCATION/keyRings/my-keyring/cryptoKeys/cui-key gs://my-cui-bucket
</code></pre>
Enforcement: use Organization Policy constraints to prevent creating buckets without encryption, and set alerting on Cloud Audit Logs for cryptoKeyVersions.use events. For evidence: retain audit logs showing SetIamPolicy, Encrypt/Decrypt calls, and the bucket’s default encryption configuration.
Policies, monitoring, and enforcement
Encryption at rest is only effective if you enforce it and produce evidence. Implement preventive controls (deny unencrypted uploads via policies), detective controls (continuous scans: AWS Config, Azure Policy, GCP Organization Policy scanner), and logging (CloudTrail, Azure Monitor/Diagnostics, Cloud Audit Logs). Limit KMS/CMEK access to personas that truly need it, and log all key usage and administrative actions. Configure automated alerts for risky events (e.g., a new key created, key rotation disabled, or Decrypt/GenerateDataKey calls from unexpected principals).
Small-business scenarios and practical tips
Scenario 1: Small defense subcontractor storing CAD files with CUI in S3. Practical steps: classify bucket as CUI, create an AWS KMS CMK with a strict key policy (no wildcard principals), enable automatic key rotation, set S3 default encryption to the CMK, and apply a bucket policy denying uploads that lack SSE. Keep CloudTrail and AWS Config snapshots for assessment. Scenario 2: Healthcare consultancy with CUI backups in Azure: create Key Vault HSM-backed keys, assign a storage-managed identity for key use, enable diagnostic logs to a secure Log Analytics workspace, and include runbooks for key compromise response.
Best practices: use CMKs where you must demonstrate control, enable automatic rotation, separate duties (administrators vs. key custodians), protect key backups and recovery procedures, test restoration of encrypted data regularly, and include encryption evidence (screenshots, CLI outputs, logs) in your compliance artifacts. Where you cannot manage keys, use strong platform-managed encryption but document why CMKs are not used.
Risks of not implementing encryption at rest
Failing to encrypt CUI at rest or to control key access increases the risk of data exposure in case of misconfiguration, insider threat, or credentials compromise. Consequences include loss of DoD or federal contracts, remediation costs, regulatory penalties, reputational damage, and mandatory breach notifications. From a compliance standpoint, lack of encryption, missing key management, or absent logs will generate findings in NIST SP 800-171 / CMMC assessments and require POA&Ms and remediation efforts.
Summary: To meet SC.L2-3.13.16 and related NIST/CMMC requirements, inventory CUI storage, choose an encryption model (prefer CMK/CMEK for demonstrable control), apply encryption-by-default, enforce via policies, log all key usage, rotate keys, and retain evidence. Use the provider-specific commands and steps above as starting templates, adapt them to your naming/identity model, and capture configuration and logs as compliance artifacts. Begin by classifying data and applying a default encryption policy across your cloud accounts—this single action substantially reduces compliance risk and simplifies your audit trail.
