top | item 34025810

(no title)

I agree. The problem is mainly going from an infrastructure that's not setup like this, to an infrastructure that is.

Usually you inherit an infrastructure, and it's usually not set up in this way (in my experience) and then there is a lot of work to re-encrypt the data in order to use KMS rather than the default key.

> it is typically standardized in an org

I have still not found any SCP I can set that prevent the use of the default key and enforces KMS. If you have one, I'd be happy to take it! If you mean "standardized" as in written on a paper, I'll rely on wishful thinking because people make mistakes or just don't know about it even if it's a standard.

discuss

fnordpiglet|3 years ago

Yes sorry I mean through cloud formation or terraform templates. I think you can do some config policy malarkey to at least isolate where it’s not happening and feed into a policy engine.