Ensure AWS DLM cross-region schedules are encrypted using a Customer Managed Key (CMK)
Error: AWS DLM cross-region schedules are not encrypted using a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_124
Checkov Check ID: CKV_AWS_256
Severity: LOW
AWS DLM cross-region schedules are not encrypted using a Customer Managed Key (CMK)
Description
This policy identifies Elastic File DLM cross-region schedules which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your DLM cross-region schedules data. It gives you full control over the encrypted data.
Fix - Runtime
Fix - Buildtime
Terraform
Resource: aws_dlm_lifecycle_policy
Arguments: cross_region_copy_rule.cmk_arn
resource "aws_dlm_lifecycle_policy" "pass" {
description = "example DLM lifecycle policy"
execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
state = "ENABLED"
policy_details {
resource_types = ["VOLUME"]
schedule {
name = "2 weeks of daily snapshots"
create_rule {
interval = 24
interval_unit = "HOURS"
times = ["23:45"]
}
retain_rule {
count = 14
}
tags_to_add = {
SnapshotCreator = "DLM"
}
copy_tags = false
cross_region_copy_rule {
target = "us-west-2"
encrypted = true
cmk_arn = aws_kms_key.dlm_cross_region_copy_cmk.arn
copy_tags = true
retain_rule {
interval = 30
interval_unit = "DAYS"
}
}
cross_region_copy_rule {
target = "us-west-2"
encrypted = true
cmk_arn = aws_kms_key.dlm_cross_region_copy_cmk.arn
copy_tags = true
retain_rule {
interval = 20
interval_unit = "DAYS"
}
}
}
target_tags = {
Snapshot = "true"
}
}
tags = {
test = "failed"
}
}
Updated 5 months ago