[gcassie]

Implicit in this article is the idea that security posturing is a zero-sum game for many companies on the dimensions of both software complexity and time.

Adding full disk encryption takes time from other projects and makes the system more complex. That equation needs to pay out. In all likelihood, the reason your data is going to get stolen is a privilege escalation in your app code or a bad actor on your team. Rogue AWS employee swiping your particular hard drive in us-east-1 is way down the list. Full disk encryption does nothing for the first two vectors.

I think compliance programs are oriented around pushing companies into complex/expensive system designs thinking that is a proxy for a secure system.

[fnordpiglet]

Aws has done a really good job making encryption fairly simple to enable. It does make some common tasks complex though, like sharing images between accounts. However it’s not fragile or time consuming, and it is typically standardized in an org of any size that requires these sorts of compliance regimes so individual teams don’t need to worry about it. But associating a volume with a key in KMS is not complex or difficult.

[DrRobinson]

I agree. The problem is mainly going from an infrastructure that's not setup like this, to an infrastructure that is.

Usually you inherit an infrastructure, and it's usually not set up in this way (in my experience) and then there is a lot of work to re-encrypt the data in order to use KMS rather than the default key.

> it is typically standardized in an org

I have still not found any SCP I can set that prevent the use of the default key and enforces KMS. If you have one, I'd be happy to take it! If you mean "standardized" as in written on a paper, I'll rely on wishful thinking because people make mistakes or just don't know about it even if it's a standard.

[fnordpiglet]

Yes sorry I mean through cloud formation or terraform templates. I think you can do some config policy malarkey to at least isolate where it’s not happening and feed into a policy engine.

[DrRobinson]

You put it really well, I think that's close to how I think about it.

Compliance has good sides too though. For example, they force you to think about areas your intuition might otherwise not have gone, so I don't dismiss them but sometimes it makes you spend time on less than optimal things in order to stay compliant.