diff --git a/main.tf b/main.tf
index d35cd87e1..cf15bae18 100644
--- a/main.tf
+++ b/main.tf
@@ -10,10 +10,9 @@ module "kms" {
 locals {
 
   default_kms_key = module.kms.key.arn
-
-  s3_kms_key_arn= var.create_kms ? local.default_kms_key : length(var.bucket_kms_key_arn)> 0 ? var.bucket_kms_key_arn : local.default_kms_key
-  db_kms_key_arn = var.create_kms ?  local.default_kms_key: length(var.db_kms_key_arn)> 0  ? var.db_kms_key_arn : local.default_kms_key
-  database_performance_insights_kms_key_arn = var.create_kms ?  local.default_kms_key: length(var.database_performance_insights_kms_key_arn)> 0  ? var.database_performance_insights_kms_key_arn : local.default_kms_key
+  s3_kms_key_arn= length(var.bucket_kms_key_arn)> 0 ? var.bucket_kms_key_arn : local.default_kms_key
+  db_kms_key_arn = length(var.db_kms_key_arn)> 0 ? var.db_kms_key_arn : local.default_kms_key
+  database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn)> 0  ? var.database_performance_insights_kms_key_arn : local.default_kms_key
   use_external_bucket = var.bucket_name != ""
   use_internal_queue  = local.use_external_bucket || var.use_internal_queue
 }
diff --git a/outputs.tf b/outputs.tf
index d3c9ef303..188e49f14 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -48,7 +48,7 @@ output "internal_app_port" {
 }
 
 output "kms_key_arn" {
-  value       = local.kms_key_arn_generic
+  value       = local.default_kms_key
   description = "The Amazon Resource Name of the KMS key used to encrypt data at rest."
 }
 
diff --git a/variables.tf b/variables.tf
index d376f5a27..27fc9fe17 100644
--- a/variables.tf
+++ b/variables.tf
@@ -362,7 +362,12 @@ variable "bucket_name" {
 variable "bucket_kms_key_arn" {
   type        = string
   description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted."
-  default     = ""
+  default     = null
+  validation {
+    # regex(...) fails if it cannot find a match
+    condition     = can(regex("^arn:aws:kms:*:*"))
+    error_message = "Invalid value for bucket kms ARN"
+  }
 }
 
 ##########################################
@@ -398,13 +403,12 @@ variable "other_wandb_env" {
 # New Vars for Encryption                #
 ##########################################
 
-variable "create_kms" {
-  type = bool
-  default = true
-
-}
 variable "db_kms_key_arn" {
   type    = string
-  default = ""
-
+  default = null
+  validation {
+    # regex(...) fails if it cannot find a match
+    condition     = can(regex("^arn:aws:kms:*:*"))
+    error_message = "Invalid value for db kms ARN"
+  }
 }
\ No newline at end of file