Ensure AWS MQBroker is encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Error: AWS MQBroker is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Bridgecrew Policy ID: BC_AWS_GENERAL_159
Checkov Check ID: CKV_AWS_209
Severity: LOW
AWS MQBroker is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies MQBrokers which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your MQBroker data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Terraform
resource "aws_mq_broker" "pass" {
broker_name = "example"
configuration {
id = aws_mq_configuration.fail.id
revision = aws_mq_configuration.fail.latest_revision
}
engine_type = "ActiveMQ"
engine_version = "5.15.13"
host_instance_type = "mq.t2.micro"
security_groups = [aws_security_group.test.id]
user {
username = "ExampleUser"
password = "MindTheGapps"
}
encryption_options {
use_aws_owned_key = false
kms_key_id = aws_kms_key.example.arn
}
}
Updated about 1 year ago