[tekla]

This is just a "its annoying to do things properly at a bare minimum level" blog post

[meepmorp]

I disagree that encryption at rest with AWS is actually the proper way. If someone can get to the actual hardware and steal disks, I can't trust that AWS hasn't also lost control of the encryption keys.

[ratg13]

Swiss Cheese Model

https://en.wikipedia.org/wiki/Swiss_cheese_model

AKA defense-in-depth

Relying on one control is a recipe for failure, which is why security measures work best when layered.

You don’t trust in one control, you trust that you stack enough controls that one of them works.

[cj]

Something is better than nothing, though.

Just because something isn't 100% perfect in every scenario doesn't mean it shouldn't be done at all.

But I agree with your point, if you're really worried about data to the point where you don't trust AWS with encryption keys, you should self-manage your keys and manually encrypt/decrypt data without AWS KMS.