AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Description
Log group data requires mandatory encryption settings in CloudWatch Logs. Developers can optionally use AWS Key Management Service for this encryption.
This approach has several limitations:
- If you revoke CloudWatch Logs access to an associated CMK or delete an associated CMK, your encrypted data in CloudWatch Logs can no longer be retrieved.
- You cannot associate a CMK with a log group using the CloudWatch console.
Code Example
go
resource "aws_cloudwatch_log_group" "pass" {
...
+ kms_key_id = "someKey"
}Remediation
Terraform
- Resource: aws_cloudwatch_log_group
- Arguments: kms_key_id
NOTE: Resource's ARN should be used.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0207 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_158 |