Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)

Error: Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_110
Checkov Check ID: CKV_AWS_190
Severity: TBD

Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)

Description

Amazon FSx for Lustre uses a KMS key, either the AWS managed key for Amazon FSx or a custom KMS key, to encrypt and decrypt file system data. All scratch FSx for Lustre file systems are encrypted at rest with keys managed by the service. Data is encrypted using an XTS-AES-256 block cipher. Data is automatically encrypted before being written to the file system, and is automatically decrypted as it is read. The keys used to encrypt scratch file systems at-rest are unique per file system and destroyed after the file system is deleted. For persistent file systems, you choose the KMS key used to encrypt and decrypt data, either the AWS managed key for Amazon FSx or a custom KMS key. You specify which key to use when you create a persistent file system. You can enable, disable, or revoke grants on this KMS key.

Fix - Buildtime

Terraform

  • Resource: aws_fsx_windows_file_system
  • Argument: kms_key_id
resource "aws_fsx_windows_file_system" "example" {
  active_directory_id = aws_directory_service_directory.example.id
  kms_key_id          = aws_kms_key.example.arn
  storage_capacity    = 300
  subnet_ids          = [aws_subnet.example.id]
  throughput_capacity = 1024
}