CloudTrail Event Data Store does not use Customer Managed Keys (CMKs)
Description
This policy checks to ensure that Cloud Trail Event Data Store uses a Customer Master Key (CMK) for encryption. It's crucial for data security because without the CMK, the default key generated by AWS would be used. If this default key is compromised, the security of all data could be endangered. Hence, to provide an extra layer of control and security, it's advisable to use a Customer Master Key for encryption.
Code Example
go
resource "aws_cloudtrail_event_data_store" "pass" {
name = "pike-data-store"
+ kms_key_id = aws_kms_key.example.arn
}Remediation
Terraform
- Resource: aws_cloudtrail_event_data_store
- Arguments: kms_key_id
To fix the issue, a custom CMK needs to be specified for the Cloud Trail Event Data Store. This can be achieved by using the AWS Key Management Service (KMS) to create a new CMK and then specifying its ARN in the `kms_key_id` property in your Cloud Trail configuration in your Terraform file.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0342 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_294 |