Session Manager data is not encrypted in transit
Description
This policy identifies AWS RDS DB (Relational Database Service Database) cluster snapshots which are not encrypted. It is highly recommended to implement encryption at rest when you are working with production data that have sensitive information, to protect from unauthorized access.
Code Example
go
resource "aws_ssm_document" "enabled" {
name = "SSM-SessionManagerRunShell"
document_type = "Session"
content = <<DOC
{
...
"inputs": {
...
"s3EncryptionEnabled": true,
+ "kmsKeyId": "${var.kms_key_id}",
"runAsEnabled": false,
...
}
}
}
DOC
}Remediation
Terraform
- Resource: aws_ssm_document
- Arguments: kmsKeyId
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0165 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_112 |