AWS FSX openzfs is not encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies FSX openzfs file systems which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your FSX openzfs file system data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_fsx_openzfs_file_system" "pass" {
storage_capacity = var.file_system.storage_capacity
subnet_ids = var.subnet_ids
deployment_type = var.file_system.deployment_type
throughput_capacity = var.file_system.throughput_capacity
kms_key_id = var.kms_key_id
automatic_backup_retention_days = 0 #flag as no bckup
}Remediation
Terraform
- Resource: aws_fsx_openzfs_file_system
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0251 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_203 |