AWS App Flow flow does not use Customer Managed Keys (CMKs)
Description
This policy identifies App Flow flow which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your App Flow flow data. It gives you full control over the encrypted data.
Code Example
go
resource "aws_appflow_flow" "pass" {
name = "example"
source_flow_config {
connector_type = "S3"
source_connector_properties {
s3 {
bucket_name = aws_s3_bucket_policy.example_source.bucket
bucket_prefix = "example"
}
}
}
destination_flow_config {
connector_type = "S3"
destination_connector_properties {
s3 {
bucket_name = aws_s3_bucket_policy.example_destination.bucket
s3_output_format_config {
prefix_config {
prefix_type = "PATH"
}
}
}
}
}
task {
source_fields = ["exampleField"]
destination_field = "exampleField"
task_type = "Map"
connector_operator {
s3 = "NO_OP"
}
}
kms_arn = aws_kms_key.example.arn
trigger_config {
trigger_type = "OnDemand"
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0311 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_263 |