Ensure that CloudWatch Log Group is encrypted by KMS
Error: CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Bridgecrew Policy ID: BC_AWS_GENERAL_85
Checkov Check ID: CKV_AWS_158
Severity: LOW
CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Description
Log group data requires mandatory encryption settings in CloudWatch Logs. Developers can optionally use AWS Key Management Service for this encryption. This approach has several limitations:
- If you revoke CloudWatch Logs access to an associated CMK or delete an associated CMK, your encrypted data in CloudWatch Logs can no longer be retrieved.
- You cannot associate a CMK with a log group using the CloudWatch console.
Fix - Buildtime
Terraform
- Resource: aws_cloudwatch_log_group
- Argument: kms_key_id
Note
Resource's ARN should be used.
resource "aws_cloudwatch_log_group" "pass" {
...
+ kms_key_id = "someKey"
}
CloudFormation
- Resource: AWS::Logs::LogGroup
- Argument: Properties.KmsKeyId
Type: AWS::Logs::LogGroup
Properties:
...
+ KmsKeyId: "someKey"
Updated 7 months ago