AWS lustre file system not configured with CMK key
Description
Amazon FSx for Lustre uses a KMS key, either the AWS managed key for Amazon FSx or a custom KMS key, to encrypt and decrypt file system data. All scratch FSx for Lustre file systems are encrypted at rest with keys managed by the service. Data is encrypted using an XTS-AES-256 block cipher. Data is automatically encrypted before being written to the file system, and is automatically decrypted as it is read. The keys used to encrypt scratch file systems at-rest are unique per file system and destroyed after the file system is deleted. For persistent file systems, you choose the KMS key used to encrypt and decrypt data, either the AWS managed key for Amazon FSx or a custom KMS key. You specify which key to use when you create a persistent file system. You can enable, disable, or revoke grants on this KMS key.
Code Example
resource "aws_fsx_windows_file_system" "example" {
active_directory_id = aws_directory_service_directory.example.id
kms_key_id = aws_kms_key.example.arn
storage_capacity = 300
subnet_ids = [aws_subnet.example.id]
throughput_capacity = 1024
}Remediation
Terraform
- Resource: aws_fsx_windows_file_system
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0238 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_190 |