AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)
Description
This policy identifies CodePipeline artifactStores which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your CodePipeline artifactStore data. It gives you full control over the encrypted data.
Code Example
text
resource "aws_codepipeline" "pass" {
name = "tf-test-pipeline"
role_arn = aws_iam_role.codepipeline_role.arn
artifact_store {
location = aws_s3_bucket.codepipeline_bucket.bucket
type = "S3"
encryption_key {
id = data.aws_kms_alias.s3kmskey.arn
type = "KMS"
}
}Remediation
Resource: aws_codepipeline
Arguments: encryption_key
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0267 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_219 |