---
title: MSK clusters should be encrypted at rest
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > MSK clusters should be encrypted at
  rest
---

# MSK clusters should be encrypted at rest
 
## Description{% #description %}

MSK clusters should have at-rest encryption configured for data volumes. At-rest encryption protects stored data from unauthorized access and supports compliance requirements. Serverless MSK clusters are always encrypted and automatically pass this check.

## Remediation{% #remediation %}

Create a new MSK cluster with at-rest encryption enabled. Existing provisioned clusters cannot have encryption changed after creation. For guidance, refer to [Amazon MSK encryption](https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html).