Timestream database is not encrypted with KMS CMK
Description
Timestream encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements. AWS KMS is required for encryption at rest in Timestream. Using a customer managed key in KMS to encrypt your Timestream data is recommended, in order to have more control over the permissions and lifecycle of your keys, including the ability to have them automatically rotated on an annual basis.
Code Example
go
resource "aws_timestreamwrite_database" "test" {
...
+ kms_key_id = var.kms_key_id
}Remediation
Terraform
- Resource: aws_timestreamwrite_database
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0209 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_160 |