AWS Doc DB not encrypted using Customer Managed Key
Description
This is a simple check to ensure that the DocDB is using AWS key management - KMS to encrypt its contents. To resolve add the ARN of your KMS or link on creation of the cluster.
Code Example
go
resource "aws_docdb_cluster" "docdb" {
cluster_identifier = "my-docdb-cluster"
engine = "docdb"
master_username = "foo"
master_password = "mustbeeightchars"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
skip_final_snapshot = true
+ kms_key_id = "ckv_kms"
}Remediation
Terraform
- Resource: aws_docdb_cluster
- Arguments: kms_key_id - (Optional) The ARN for the KMS encryption key. When specifying kms_key_id, storage_encrypted needs to be set to true.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0231 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_182 |