AWS organizations SCP question on S3 encruption rules

I normally use the s3:x-amz-server-side-encryption-aws-kms-key-id in most policies to ensure that the intended KMS key is used for s3:PutObject. This key is present whenever the object is being encrypted with SSE-KMS, regardless of whether it was inherited from the bucket's default encryption setting or explicitly specified in a request header. You could use the key also in an SCP just to identify that the condition key is present, which it isn't, if SSE-S3 is used.

Here are the alternatives i can think of in your case.

S3 Default Encryption: You can enable default encryption at the S3 bucket level or the AWS account level using a customer-managed KMS key. This will automatically encrypt all new objects uploaded to the bucket, without impacting other AWS services.

Bucket Policies: You can create S3 bucket policies that require encryption for all object uploads. This approach is more flexible than the SCP, as you can tailor the policy to specific buckets or accounts.

AWS Config Rules: You can use AWS Config managed rules, such as s3-bucket-server-side-encryption-enabled, to continuously monitor and enforce encryption on your S3 buckets. This approach can be applied at the organization level using AWS Organizations.

AWS Backup: If you're using AWS Backup to manage your backups, you can configure it to automatically encrypt your S3 backups using a KMS key of your choice.