[nmjohn]

I assume they mean by default, employees do not have access to the KMS key necessary to decrypt the sensitive data. (They mention using an individual KMS key per customer)

I suspect there must be a handful of SREs who, who could access it if they really wanted to - though that access would still be logged in cloudtrail.

[remixz]

You've got it right! The KMS keys used to encrypt sensitive data are generated per customer, and the majority of our engineering team cannot access any sensitive production data at all. In theory, it would only be the select team members with privileged access that could access it, but as you mentioned, it would be logged in CloudTrail. We also have GuardDuty enabled, and it would likely alert on anomalous activity.

Personally, I think we could do a better job explaining our security model in our FAQ. I'll bring it up with the team.

[iLoveOncall]

> Our employees do not have access to the private key to decrypt sensitive data.

So this is literally a lie?