Users are increasingly performing tasks using remote computing resources, often referred to as part of “the cloud.” This has many advantages, as users do not have to purchase and maintain dedicated hardware and software, and instead can pay for only those resources that are needed at any given time, where those resources typically will be managed by a resource provider. Users can perform tasks such as storing data to various types of resources offered by a resource provider. In many instances, a customer will request that one or more security controls be applied to the storage of customer data by the determined type of resource. When the data is moved between different types of resources, it can be difficult for the customer to understand or ensure that similar security controls are applied for the different types of resources. Further, a customer might not specify or request the appropriate security controls, and it can be difficult for the provider to know which controls would be appropriate without analyzing the customer data, which the customer might not approve due to privacy concerns. While some providers offer security suggestions, these suggestions are often based on best practices and are agnostic of the customers' business use-cases and sensitivity of their data.