[Avalyst]

At rest basically means on disk. People might not think about this but AWS actually has a physical disk somewhere which someone could yank from the data center and read from. Not that likely but also not hard to protect yourself from.

[nulagrithom]

If someone is yanking and reading disks at AWS then the game was over a long time ago. Physical access always wins.

IMO, if you're on AWS (or similar) then at rest encryption is a wholly unnecessary expense, unless you need to tick some kind of regulatory checkbox. I can see it for smaller on premise racks to prevent a "smash and grab" problem, but in a secure datacenter? Nah...

[Programmatic]

Disk encryption also prevents disposal issues from affecting you, which is a separate problem than physical access.

[Avalyst]

Amazon has employees as well, yes? Employees with access to data centers? Employees that may be convinced to make some "mistakes" in the disposal of old disks combined with the early replacement of a few specific drives?

Of course this is very hypothetical and it requires the attacker to know what disk in what rack to target, I'm not saying it's the most likely scenario, I'm saying it can be avoided by flipping a switch and paying a few extra dollars so I'll keep it enabled.

[jdc0589]

Yes, and no. Most block storage services provided by cloud hosts shard data across tons of physical media.

Some of them (e.g. Google Cloud) encrypt everything at rest by default too.