For AWS secrets manager resource we want to ensure encryptions keys are created using certain module our firm has implemented. This module ultimately provisions KMS key in AWS account but requirement is it must happen though our module.
Is it possible to enforce Service control policy which can make sure that all the AWS secrets at the time of provisioning are supplied with KMS key which is created using the module firm has.
At the moment we have sentinel policy which checks for tags etc on the KSM key for this validation. Trying to figure out if SCP can do this instead of sentinel policy.
