Ensure AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Error: AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_160
Checkov Check ID: CKV_AWS_219
Severity: LOW

AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Description

This policy identifies CodePipeline artifactStores which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your CodePipeline artifactStore data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Resource: aws_codepipeline

Arguments: encryption_key

resource "aws_codepipeline" "pass" {
  name     = "tf-test-pipeline"
  role_arn = aws_iam_role.codepipeline_role.arn

  artifact_store {
    location = aws_s3_bucket.codepipeline_bucket.bucket
    type     = "S3"

    encryption_key {
      id   = data.aws_kms_alias.s3kmskey.arn
      type = "KMS"
    }
  }

Did this page help you?