Sprinto Dashboard

Encryption & Backup Monitoring

Ensure data encryption and backup settings are compliant with Sprinto by monitoring encryption at rest, PITR, and recovery policies across AWS, Azure, and GCP.

Encryption and backup configurations are essential to maintaining data confidentiality, integrity, and recoverability. Sprinto monitors your cloud infrastructure and databases to ensure that encryption is enforced and reliable backup mechanisms are in place.

This article outlines how Sprinto evaluates encryption and backup monitors across AWS, Azure, GCP, and other cloud services, and provides guidance to resolve non-compliant configurations.

What is Monitored

Sprinto monitors two primary areas:

  1. Encryption at Rest

    • Ensures databases, volumes, and cloud storage are encrypted

    • Validates use of managed or customer-managed keys (CMKs)

  2. Backup & Recovery

    • Verifies point-in-time recovery (PITR) settings

    • Checks snapshot creation for EBS volumes, DynamoDB, RDS, etc.

    • Confirms backup policies are enforced and active

Monitored Services and Checks

AWS

Service
Monitor Description

DynamoDB

Encryption at rest enabled, PITR activated

RDS

Backup retention policy configured

EBS

Encryption enabled for volumes, backup snapshot configured

S3

Versioning and server access logs enabled for backup traceability

ECR

Repository encryption enabled

CloudTrail

Log-file integrity validation enabled

Azure

Service
Monitor Description

SQL Database

Transparent Data Encryption (TDE) enabled

Storage Accounts

Secure transfer and network access controls enabled

Backup & Recovery

Backup policies enforced using Recovery Services Vaults (manual evidence)

GCP

Service
Monitor Description

Cloud SQL

PITR enabled and backup configuration tracked

Storage

Manual verification of encryption settings

How to Resolve Encryption Monitors

1. AWS DynamoDB

  • Go to DynamoDB > Table > Encryption

  • Confirm Encryption at rest is Enabled

  • If not, select AWS owned / managed CMK and save

2. AWS RDS

  • Go to RDS > Databases

  • Under Maintenance & backups, ensure:

    • Backup retention period > 0 days

    • Automated backups are turned on

3. AWS EBS

  • Navigate to EC2 > Volumes

  • Ensure encryption is enabled on new volumes via Launch template or AMI

  • Use AWS Backup for snapshot management

4. Azure SQL / Storage

  • For SQL, enable TDE under Transparent Data Encryption

  • For Storage, enforce HTTPS and encryption using Azure-managed keys

5. GCP Cloud SQL

  • Enable Backups and Point-in-time recovery under Instance settings

How to Resolve Backup Monitors

  • Configure scheduled snapshots or backup rules using platform-native tools:

    • AWS Backup, Lifecycle Manager, Azure Backup Vault, or GCP Backup

  • For manual evidence monitors:

    • Upload screenshots of backup policy or retention settings

    • Attach log extracts or policy JSONs where applicable

  • Click Mark as Resolved in Sprinto after applying fixes

Best Practices

  • Always enable encryption by default for critical resources

  • Use customer-managed keys (CMKs) for better control (where applicable)

  • Periodically audit recovery points and snapshot schedules

  • Use infrastructure-as-code (e.g., Terraform) to standardise encryption and backup

PreviousAzure Infrastructure MonitorsNextAudit Logs & Evidence Trails

Last updated