Ensure that Timestream database is encrypted with KMS CMK

Error: Timestream database is not encrypted with KMS CMK

Bridgecrew Policy ID: BC_AWS_GENERAL_87
Checkov Check ID: CKV_AWS_160
Severity: MEDIUM

Timestream database is not encrypted with KMS CMK


Timestream encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.
AWS KMS is required for encryption at rest in Timestream. Using a customer managed key in KMS to encrypt your Timestream data is recommended, in order to have more control over the permissions and lifecycle of your keys, including the ability to have them automatically rotated on an annual basis.

Fix - Buildtime


  • Resource: aws_timestreamwrite_database
  • Argument: kms_key_id
resource "aws_timestreamwrite_database" "test" {
+ kms_key_id = var.kms_key_id


  • Resource: AWS::Timestream::Database
  • Argument: Properties.KmsKeyId
Type: AWS::Timestream::Database
+     KmsKeyId: kms-key-id