search
Sprinto DashboardAPI Reference

Encryption & Backup Monitoring

Ensure data encryption and backup settings are compliant with Sprinto by monitoring encryption at rest, PITR, and recovery policies across AWS, Azure, and GCP.

Encryption and backup configurations are essential to maintaining data confidentiality, integrity, and recoverability. Sprinto monitors your cloud infrastructure and databases to ensure that encryption is enforced and reliable backup mechanisms are in place.

This article outlines how Sprinto evaluates encryption and backup monitors across AWS, Azure, GCP, and other cloud services, and provides guidance to resolve non-compliant configurations.

hashtag
What is Monitored

Sprinto monitors two primary areas:

  1. Encryption at Rest

    • Ensures databases, volumes, and cloud storage are encrypted

    • Validates use of managed or customer-managed keys (CMKs)

  2. Backup & Recovery

    • Verifies point-in-time recovery (PITR) settings

    • Checks snapshot creation for EBS volumes, DynamoDB, RDS, etc.

    • Confirms backup policies are enforced and active

hashtag
Monitored Services and Checks

hashtag
AWS

Service
Monitor Description

DynamoDB

Encryption at rest enabled, PITR activated

RDS

Backup retention policy configured

EBS

Encryption enabled for volumes, backup snapshot configured

S3

Versioning and server access logs enabled for backup traceability

ECR

Repository encryption enabled

CloudTrail

Log-file integrity validation enabled

hashtag
Azure

Service
Monitor Description

SQL Database

Transparent Data Encryption (TDE) enabled

Storage Accounts

Secure transfer and network access controls enabled

Backup & Recovery

Backup policies enforced using Recovery Services Vaults (manual evidence)

hashtag
GCP

Service
Monitor Description

Cloud SQL

PITR enabled and backup configuration tracked

Storage

Manual verification of encryption settings

hashtag
How to Resolve Encryption Monitors

hashtag
1. AWS DynamoDB

  • Go to DynamoDB > Table > Encryption

  • Confirm Encryption at rest is Enabled

  • If not, select AWS owned / managed CMK and save

hashtag
2. AWS RDS

  • Go to RDS > Databases

  • Under Maintenance & backups, ensure:

    • Backup retention period > 0 days

    • Automated backups are turned on

hashtag
3. AWS EBS

  • Navigate to EC2 > Volumes

  • Ensure encryption is enabled on new volumes via Launch template or AMI

  • Use AWS Backup for snapshot management

hashtag
4. Azure SQL / Storage

  • For SQL, enable TDE under Transparent Data Encryption

  • For Storage, enforce HTTPS and encryption using Azure-managed keys

hashtag
5. GCP Cloud SQL

  • Enable Backups and Point-in-time recovery under Instance settings

hashtag
How to Resolve Backup Monitors

  • Configure scheduled snapshots or backup rules using platform-native tools:

    • AWS Backup, Lifecycle Manager, Azure Backup Vault, or GCP Backup

  • For manual evidence monitors:

    • Upload screenshots of backup policy or retention settings

    • Attach log extracts or policy JSONs where applicable

  • Click Mark as Resolved in Sprinto after applying fixes

hashtag
Enforce SSL for GCP Cloud SQL Connections

Sprinto checks whether SSL connections are enforced on Google Cloud SQL instances. SSL ensures encrypted communication between clients and databases, preventing man-in-the-middle (MITM) attacks and unauthorised data exposure during transmission.

hashtag
How to resolve

To enforce SSL on Cloud SQL:

  1. Go to the Google Cloud Console.

  2. Navigate to SQL → Instances.

  3. Select the target instance.

  4. Under Connections → SSL, ensure that:

    • SSL is enabled

    • SSL certificates (client/server CA) are configured

  5. Optionally, disable non-SSL connections by updating the application-level settings or Cloud SQL connection configuration.

hashtag
Provide evidence

Submit any of the following:

  • Screenshot of the SQL instance showing SSL enabled and certs created

  • gcloud output:

  • JSON export of the instance settings with requireSsl: true

hashtag
Best Practices

  • Always enable encryption by default for critical resources.

  • Use customer-managed keys (CMKs) for better control (where applicable).

  • Periodically audit recovery points and snapshot schedules.

  • Use infrastructure-as-code (e.g., Terraform) to standardise encryption and backup.

  • Always enable SSL for all production Cloud SQL instances.

  • Rotate certificates regularly.

  • Use SSL-only users or connection strings where possible.

PreviousHow to resolve Sprinto check for monitoring DigitalOcean Droplet CPU utilizationNextEncryption of a DynamoDB table

Last updated