Ensure AWS cluster logging is encrypted using a Customer Managed Key (CMK)

Error: AWS cluster logging is not encrypted using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_158
Checkov Check ID: CKV_AWS_224
Severity: LOW

AWS cluster logging is not encrypted using a Customer Managed Key (CMK)

Description

This policy identifies cluster logging which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your cluster logging data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

resource "aws_ecs_cluster" "pass2" {
  name = "white-hart"
  configuration {
    execute_command_configuration {
      kms_key_id = aws_kms_key.example.arn

      log_configuration {
        #        cloud_watch_encryption_enabled = true
        # cloud_watch_log_group_name     = aws_cloudwatch_log_group.example.name

        # or
        # s3_bucket_name=   and
        s3_bucket_encryption_enabled = true
      }
    }
  }
  tags = { test = "fail" }
}

Did this page help you?