MemoryDB snapshot is not encrypted by KMS using a customer managed Key (CMK)
Description
This policy is checking if MemoryDB snapshots are encrypted by KMS using a Customer Managed Key (CMK). MemoryDB snapshots store data from your in-memory databases, which may contain sensitive information. If not encrypted, the data in the snapshots can become vulnerable to unauthorized access or breaches. The AWS Key Management Service (KMS) provides a way to encrypt this data, and specifically, it should use a Customer Managed Key (CMK) which gives users more flexibility and control over their data encryption.
Code Example
go
resource "aws_memorydb_snapshot" "pass" {
cluster_name = "sato"
name = "pike"
+ kms_key_arn = aws_kms_key.example.arn
}Remediation
Terraform
- Resource: aws_memorydb_snapshot
- Arguments: kms_key_arn
To fix this issue, you need to ensure that MemoryDB snapshots are encrypted using a KMS customer managed key. Here's how you can modify your Terraform code:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0326 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_278 |