Ensure AWS MemoryDB is encrypted at rest by AWS' Key Management Service KMS using CMKs

Error: AWS MemoryDB is not encrypted at rest by AWS' Key Management Service KMS using CMKs

Bridgecrew Policy ID: BC_AWS_GENERAL_126
Checkov Check ID: CKV_AWS_201
Severity: LOW

AWS MemoryDB is not encrypted at rest by AWS' Key Management Service KMS using CMKs

Description

This policy identifies MemoryDB which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your MemoryDB data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

Resource: aws_memorydb_cluster
Arguments: kms_key_arn

resource "aws_memorydb_cluster" "pass" {
  acl_name                 = "open-access"
  name                     = "my-cluster"
  node_type                = "db.t4g.small"
  num_shards               = 2
  security_group_ids       = [aws_security_group.example.id]
  snapshot_retention_limit = 7
  subnet_group_name        = aws_memorydb_subnet_group.example.id
  kms_key_arn              = aws_kms_key.example.arn
}