Ensure AWS DLM cross-region events are encrypted with a Customer Managed Key (CMK)

Error: AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_117
Checkov Check ID: CKV_AWS_254
Severity: LOW

AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)

Description

This policy identifies DLM cross-region events) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your DLM cross-region events data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

Resource: aws_dlm_lifecycle_policy
Arguments: action.cross_region_copy.encryption_configuration.cmk_arn

resource "aws_dlm_lifecycle_policy" "pass" {
  description        = "tf-acc-basic"
  execution_role_arn = aws_iam_role.example.arn

  policy_details {
    policy_type = "EVENT_BASED_POLICY"

    resource_types = []
    target_tags    = {}

    action {
      name = "tf-acc-basic"
      cross_region_copy {
        encryption_configuration {
          cmk_arn    = aws_kms_key.test.arn
          encryption = true
        }
        retain_rule {
          interval      = 15
          interval_unit = "MONTHS"
        }

      }
    }

    event_source {
      type = "MANAGED_CWE"
      parameters {
        description_regex = "^.*Created for policy: policy-1234567890abcdef0.*$"
        event_type        = "shareSnapshot"
        snapshot_owner    = [data.aws_caller_identity.current.account_id]
      }
    }
  }
}