# Encryption & Backup Monitoring

Encryption and backup configurations are essential to maintaining data confidentiality, integrity, and recoverability. Sprinto monitors your cloud infrastructure and databases to ensure that encryption is enforced and reliable backup mechanisms are in place.

This article outlines how Sprinto evaluates encryption and backup monitors across AWS, Azure, GCP, and other cloud services, and provides guidance to resolve non-compliant configurations.

***

### What is Monitored

Sprinto monitors two primary areas:

1. **Encryption at Rest**
   * Ensures databases, volumes, and cloud storage are encrypted
   * Validates use of managed or customer-managed keys (CMKs)
2. **Backup & Recovery**
   * Verifies point-in-time recovery (PITR) settings
   * Checks snapshot creation for EBS volumes, DynamoDB, RDS, etc.
   * Confirms backup policies are enforced and active

***

### Monitored Services and Checks

#### AWS

<table><thead><tr><th width="114.67578125">Service</th><th width="510.19921875">Monitor Description</th></tr></thead><tbody><tr><td>DynamoDB</td><td>Encryption at rest enabled, PITR activated</td></tr><tr><td>RDS</td><td>Backup retention policy configured</td></tr><tr><td>EBS</td><td>Encryption enabled for volumes, backup snapshot configured</td></tr><tr><td>S3</td><td>Versioning and server access logs enabled for backup traceability</td></tr><tr><td>ECR</td><td>Repository encryption enabled</td></tr><tr><td>CloudTrail</td><td>Log-file integrity validation enabled</td></tr></tbody></table>

***

#### Azure

<table><thead><tr><th width="168.91015625">Service</th><th>Monitor Description</th></tr></thead><tbody><tr><td>SQL Database</td><td>Transparent Data Encryption (TDE) enabled</td></tr><tr><td>Storage Accounts</td><td>Secure transfer and network access controls enabled</td></tr><tr><td>Backup &#x26; Recovery</td><td>Backup policies enforced using Recovery Services Vaults (manual evidence)</td></tr></tbody></table>

***

#### GCP

<table><thead><tr><th width="109.59765625">Service</th><th width="397.15234375">Monitor Description</th></tr></thead><tbody><tr><td>Cloud SQL</td><td>PITR enabled and backup configuration tracked</td></tr><tr><td>Storage</td><td>Manual verification of encryption settings</td></tr></tbody></table>

***

### How to Resolve Encryption Monitors

#### 1. **AWS DynamoDB**

* Go to **DynamoDB > Table > Encryption**
* Confirm **Encryption at rest** is **Enabled**
* If not, select **AWS owned / managed CMK** and save

#### 2. **AWS RDS**

* Go to **RDS > Databases**
* Under **Maintenance & backups**, ensure:
  * **Backup retention period** > 0 days
  * Automated backups are turned on

#### 3. **AWS EBS**

* Navigate to **EC2 > Volumes**
* Ensure encryption is enabled on new volumes via **Launch template** or **AMI**
* Use **AWS Backup** for snapshot management

#### 4. **Azure SQL / Storage**

* For SQL, enable TDE under **Transparent Data Encryption**
* For Storage, enforce HTTPS and encryption using **Azure-managed keys**

#### 5. **GCP Cloud SQL**

* Enable **Backups** and **Point-in-time recovery** under **Instance settings**

***

### How to Resolve Backup Monitors

* Configure scheduled snapshots or backup rules using platform-native tools:
  * **AWS Backup**, **Lifecycle Manager**, **Azure Backup Vault**, or **GCP Backup**
* For manual evidence monitors:
  * Upload screenshots of backup policy or retention settings
  * Attach log extracts or policy JSONs where applicable
* Click **Mark as Resolved** in Sprinto after applying fixes

***

### Enforce SSL for GCP Cloud SQL Connections

Sprinto checks whether SSL connections are enforced on **Google Cloud SQL** instances. SSL ensures encrypted communication between clients and databases, preventing man-in-the-middle (MITM) attacks and unauthorised data exposure during transmission.

***

#### How to resolve

To enforce SSL on Cloud SQL:

1. Go to the **Google Cloud Console**.
2. Navigate to **SQL → Instances**.
3. Select the target instance.
4. Under **Connections → SSL**, ensure that:
   * **SSL is enabled**
   * SSL certificates (client/server CA) are configured
5. Optionally, disable non-SSL connections by updating the application-level settings or Cloud SQL connection configuration.

***

#### Provide evidence

Submit any of the following:

* **Screenshot** of the SQL instance showing SSL enabled and certs created
* `gcloud` output:

  ```bash
  gcloud sql instances describe <instance-name> --format="value(settings.ipConfiguration.requireSsl)"
  ```
* JSON export of the instance settings with `requireSsl: true`

***

### Best Practices

* Always enable encryption by default for critical resources.
* Use **customer-managed keys (CMKs)** for better control (where applicable).
* Periodically audit recovery points and snapshot schedules.
* Use infrastructure-as-code (e.g., Terraform) to standardise encryption and backup.
* Always enable SSL for all production Cloud SQL instances.
* Rotate certificates regularly.
* Use SSL-only users or connection strings where possible.