Ensure AWS FSX openzfs file system is encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)

Error: AWS FSX openzfs is not encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_116
Checkov Check ID: CKV_AWS_203
Severity: LOW

AWS FSX openzfs is not encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)

Description

This policy identifies FSX openzfs file systems which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your FSX openzfs file system data. It gives you full control over the encrypted data.

Fix - Runtime

Fix - Buildtime

Terraform

Resource: aws_fsx_openzfs_file_system
Arguments: kms_key_id

resource "aws_fsx_openzfs_file_system" "pass" {
  storage_capacity                = var.file_system.storage_capacity
  subnet_ids                      = var.subnet_ids
  deployment_type                 = var.file_system.deployment_type
  throughput_capacity             = var.file_system.throughput_capacity
  kms_key_id                      = var.kms_key_id
  automatic_backup_retention_days = 0 #flag as no bckup
}