|
|
|
|
|
|
by ctvo
1276 days ago
|
|
|
tl;dr author finds it a hassle to set up proper encryption at rest and rationalizes away why they shouldn’t need to do it. > You used the AWS default key to encrypt a database? Don’t do that? Create a separate account to hold keys. Lock it down like you would your domain DNS or anything else with security implications that will impact your entire company. Share granular read permissions across accounts as needed to encrypt / decrypt. Agreed it’s time consuming to initially setup, but it’s a solved problem and can be implemented with your IaC flavor of choice (CloudFormation directly, CDK, Terraform, …). |
|
|
What you describe is essentially what I currently do. But I've inherited an infrastructure that was not setup that way, and re-encrypting things has been very time consuming.
The company I'm at now use multiple AWS accounts where teams have their own accounts, and it's common for people to forget to use KMS when creating databases or similar. I might have just failed in my search but I couldn't find any way to block default keys via SCPs. If you have any suggestions for that I'm happy to take them!