AWS VPC Encryption Controls support declarative policies
AWS has introduced declarative policies for VPC Encryption Controls, allowing users to centrally define and enforce encryption in transit across all VPCs in their environment. This simplifies management for security teams by enabling a single policy for all existing and future VPCs, providing central visibility and aiding compliance with standards like HIPAA and PCI. This feature is available in all regions supporting VPC Encryption Controls at no additional charge for AWS Organizations users.
- →Centrally manage VPC Encryption Controls with declarative policies
- →Improved central visibility and compliance management
- →Availability and cost
Features (1) ›
- Centrally manage VPC Encryption Controls with declarative policies
AWS now supports declarative policies for VPC Encryption Controls, enabling centralized definition and enforcement of encryption in transit settings across all VPCs. This allows for consistent application of desired encryption states for accounts, organizations, or specific organizational units.
Enhancements (1) ›
- Improved central visibility and compliance management
The new declarative policies provide central visibility into Encryption Controls status across an organization's accounts and VPCs. This enhancement simplifies auditing and enforcement of encryption standards such as HIPAA, FedRAMP, and PCI, eliminating the need for individual VPC configurations and exclusions.
Notes (1) ›
- Availability and cost
Declarative policies for VPC Encryption Controls are available in all AWS regions supporting the feature. There is no additional charge for using these policies with AWS Organizations.
https://aws.amazon.com/about-aws/whats-new/2026/07/vpc-encryption-controls-declarative-controls/