Ensure Session Manager logs are enabled and encrypted

*Error: Session Manager logs are not enabled or encrypted

Bridgecrew Policy ID: BC_AWS_GENERAL_61
Checkov Check ID: CKV_AWS_113
Severity: MEDIUM

Session Manager logs are not enabled or encrypted

Description

Encrypting your ession Manager logs helps protect your data from unauthorized access or tampering. That way, you can ensure that only authorized users can access and modify the contents of your logs. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

Fix - Buildtime

Terraform

Resource: aws_ssm_document

Argument: cloudWatchStreamingEnabled

resource "aws_ssm_document" "s3_enabled_encrypted" {
  name          = "SSM-SessionManagerRunShell"
  document_type = "Session"

  content = <<DOC
  {
    "schemaVersion": "1.0",
    "description": "Document to hold regional settings for Session Manager",
    "sessionType": "Standard_Stream",
    "inputs": {
      "s3BucketName": "example",
      "s3KeyPrefix": "",
      "s3EncryptionEnabled": true,
      "cloudWatchLogGroupName": "",
      "cloudWatchEncryptionEnabled": true,
      "idleSessionTimeout": "20",
      "cloudWatchStreamingEnabled": true,
      "kmsKeyId": "",
      "runAsEnabled": false,
      "runAsDefaultUser": "",
      "shellProfile": {
        "windows": "",
        "linux": ""
      }
    }
  }
DOC
}