Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Error: AWS MQBroker is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_159
Checkov Check ID: CKV_AWS_209
Severity: LOW

AWS MQBroker is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)

Description

This policy identifies MQBrokers which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your MQBroker data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

resource "aws_mq_broker" "pass" {
  broker_name = "example"

  configuration {
    id       = aws_mq_configuration.fail.id
    revision = aws_mq_configuration.fail.latest_revision
  }

  engine_type        = "ActiveMQ"
  engine_version     = "5.15.13"
  host_instance_type = "mq.t2.micro"
  security_groups    = [aws_security_group.test.id]

  user {
    username = "ExampleUser"
    password = "MindTheGapps"
  }

  encryption_options {
    use_aws_owned_key = false
    kms_key_id        = aws_kms_key.example.arn
  }
}