Ensure AWS RDS Cluster activity streams are encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
Error: AWS RDS Cluster activity streams are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
Bridgecrew Policy ID: BC_AWS_GENERAL_150
Checkov Check ID: CKV_AWS_246
Severity: LOW
AWS RDS Cluster activity streams are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)
Description
This policy identifies RDS Cluster activity streams which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your RDS Cluster activity streams data. It gives you full control over the encrypted data.
Fix - Runtime
TBD
Fix - Buildtime
Terraform
Resource: aws_rds_cluster_activity_stream
Arguments: kms_key_id
resource "aws_rds_cluster_activity_stream" "pass" {
resource_arn = aws_rds_cluster.default.arn
mode = "async"
kms_key_id = aws_kms_key.default.key_id
depends_on = [aws_rds_cluster_instance.default]
}
Updated 5 months ago