Ensure Backup Vault is encrypted at rest using KMS CMK
Error: Backup Vault is not encrypted at rest using KMS CMK
Bridgecrew Policy ID: BC_AWS_GENERAL_89
Checkov Check ID: CKV_AWS_166
Severity: MEDIUM
Backup Vault is not encrypted at rest using KMS CMK
Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering. By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
Fix - Buildtime
Terraform
- Resource: aws_backup_vault
- Argument: kms_key_arn
resource "aws_backup_vault" "backup_with_kms_key" {
...
+ kms_key_arn = aws_kms_key.example.arn
}
CloudFormation
- Resource: AWS::Backup::BackupVault
- Argument: Properties.EncryptionKeyArn
Type: AWS::Backup::BackupVault
Properties:
...
+ EncryptionKeyArn: example.arn/aws_kms_key
Updated 9 months ago