AWS MQ Broker is not encrypted by Customer Managed Key (CMK)
Description
This policy identifies MQBrokers which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your MQBroker data. It gives you full control over the encrypted data.
Code Example
text
resource "aws_mq_broker" "pass" {
broker_name = "example"
configuration {
id = aws_mq_configuration.fail.id
revision = aws_mq_configuration.fail.latest_revision
}
engine_type = "ActiveMQ"
engine_version = "5.15.13"
host_instance_type = "mq.t2.micro"
security_groups = [aws_security_group.test.id]
user {
username = "ExampleUser"
password = "MindTheGapps"
}
encryption_options {
use_aws_owned_key = false
kms_key_id = aws_kms_key.example.arn
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0257 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_209 |