Ensure that CloudWatch Log Group is encrypted by KMS

Error: CloudWatch Log groups encrypted using default encryption key instead of KMS CMK

Bridgecrew Policy ID: BC_AWS_GENERAL_85
Checkov Check ID: CKV_AWS_158
Severity: LOW

CloudWatch Log groups encrypted using default encryption key instead of KMS CMK

Description

Log group data requires mandatory encryption settings in CloudWatch Logs. Developers can optionally use AWS Key Management Service for this encryption. This approach has several limitations:

  • If you revoke CloudWatch Logs access to an associated CMK or delete an associated CMK, your encrypted data in CloudWatch Logs can no longer be retrieved.
  • You cannot associate a CMK with a log group using the CloudWatch console.

Fix - Buildtime

Terraform

  • Resource: aws_cloudwatch_log_group
  • Argument: kms_key_id

📘

Note

Resource's ARN should be used.

resource "aws_cloudwatch_log_group" "pass" {
  ...
+ kms_key_id        = "someKey"
}

CloudFormation

  • Resource: AWS::Logs::LogGroup
  • Argument: Properties.KmsKeyId
Type: AWS::Logs::LogGroup
    Properties: 
      ...
+     KmsKeyId: "someKey"