[fnordpiglet]

Aws has done a really good job making encryption fairly simple to enable. It does make some common tasks complex though, like sharing images between accounts. However it’s not fragile or time consuming, and it is typically standardized in an org of any size that requires these sorts of compliance regimes so individual teams don’t need to worry about it. But associating a volume with a key in KMS is not complex or difficult.

[DrRobinson]

I agree. The problem is mainly going from an infrastructure that's not setup like this, to an infrastructure that is.

Usually you inherit an infrastructure, and it's usually not set up in this way (in my experience) and then there is a lot of work to re-encrypt the data in order to use KMS rather than the default key.

> it is typically standardized in an org

I have still not found any SCP I can set that prevent the use of the default key and enforces KMS. If you have one, I'd be happy to take it! If you mean "standardized" as in written on a paper, I'll rely on wishful thinking because people make mistakes or just don't know about it even if it's a standard.

[fnordpiglet]

Yes sorry I mean through cloud formation or terraform templates. I think you can do some config policy malarkey to at least isolate where it’s not happening and feed into a policy engine.