Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)
Error: AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_117
Checkov Check ID: CKV_AWS_254
Severity: LOW
AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)
Description
This policy identifies DLM cross-region events) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your DLM cross-region events data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Terraform
Resource: aws_dlm_lifecycle_policy
Arguments: action.cross_region_copy.encryption_configuration.cmk_arn
resource "aws_dlm_lifecycle_policy" "pass" {
description = "tf-acc-basic"
execution_role_arn = aws_iam_role.example.arn
policy_details {
policy_type = "EVENT_BASED_POLICY"
resource_types = []
target_tags = {}
action {
name = "tf-acc-basic"
cross_region_copy {
encryption_configuration {
cmk_arn = aws_kms_key.test.arn
encryption = true
}
retain_rule {
interval = 15
interval_unit = "MONTHS"
}
}
}
event_source {
type = "MANAGED_CWE"
parameters {
description_regex = "^.*Created for policy: policy-1234567890abcdef0.*$"
event_type = "shareSnapshot"
snapshot_owner = [data.aws_caller_identity.current.account_id]
}
}
}
}
Updated 4 months ago