Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Error: AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_160
Checkov Check ID: CKV_AWS_219
Severity: LOW
AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies CodePipeline artifactStores which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your CodePipeline artifactStore data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Resource: aws_codepipeline
Arguments: encryption_key
resource "aws_codepipeline" "pass" {
name = "tf-test-pipeline"
role_arn = aws_iam_role.codepipeline_role.arn
artifact_store {
location = aws_s3_bucket.codepipeline_bucket.bucket
type = "S3"
encryption_key {
id = data.aws_kms_alias.s3kmskey.arn
type = "KMS"
}
}
Updated about 1 year ago