The DMS S3 does not use a Customer Managed Key (CMK)
Description
This policy is checking to ensure that the AWS Database Migration Service (DMS) S3 is utilizing a Customer Managed Key (CMK) for encryption. If this policy is not adhered to, it could potentially create a security risk as AWS managed keys may not provide the same level of control and access restrictions that a CMK would. This could leave sensitive data exposed or vulnerable to unauthorized access or breaches.
Code Example
hcl
resource "aws_dms_s3_endpoint" "test_dms_endpoint_s3" {
+ kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/abcd1234-a123-456a-a12b-a123b4cd56ef"
...
}Remediation
Terraform
- Resource: aws_dms_s3_endpoint
- Arguments: kms_key_arn
To fix this issue, you need to set the "kms_key_arn" attribute in your DMS S3 configuration block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0346 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_298 |