How to enforce SSE-KMS encryption on S3 buckets across 30 AWS accounts
Organizations managing multiple AWS accounts face compliance risks when developers create S3 buckets without encryption enabled. A Service Control Policy (SCP) attached to the root organizational unit can block unencrypted bucket creation by denying the s3:CreateBucket action unless the SSE-KMS header is present. For buckets that already exist without encryption, AWS Config evaluates them against a managed rule and triggers an SSM Automation document to apply SSE-KMS automatically. Terraform is used to provision the required Config delivery bucket, IAM roles, and StackSets that deploy the solution across all member accounts. Together, the SCP and Config remediation close both the preventive and corrective gaps in S3 encryption compliance.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in