AWS EBS Volume is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies Elastic File Systems (EFSs) which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your EFS data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_ebs_volume" "pass" {
availability_zone = data.aws_availability_zones.available.names[0]
size = 1
encrypted = true
kms_key_id = aws_kms_key.test.arn
tags = {
Name = "taggy"
}
}Remediation
Terraform
- Resources: aws_ebs_volume
- Arguments: kms_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0260 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_212 |