AWS fx ontap file system not encrypted using Customer Managed Key
Description
This is a simple check to ensure that fx ontap file system is using AWS key management - KMS to encrypt its contents. To resolve add the ARN of your KMS or link on creation of the cluster
Code Example
go
resource "aws_fsx_ontap_file_system" "test" {
storage_capacity = 1024
subnet_ids = [aws_subnet.test1.id, aws_subnet.test2.id]
deployment_type = "MULTI_AZ_1"
throughput_capacity = 512
preferred_subnet_id = aws_subnet.test1.id
+ kms_key_id = "ckv_kms"
}Remediation
Terraform
- Resource: aws_fsx_ontap_file_system
- *Attribute: *kms_key_id - (Optional)
ARN for the KMS Key to encrypt the file system at rest, Defaults to an AWS managed KMS Key.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0227 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_178 |