SSM parameters are not utilizing KMS CMK.
Description
This policy is verifying that AWS System Manager parameters are utilizing Key Management Service (KMS) customer-managed keys (CMK) for encryption. This policy is crucial for providing additional layers of security, as it ensures that all sensitive data processed and stored by System Manager parameters are protected by reliable encryption methods. Not complying with this policy means your SSM parameters are not fully protected, leading to potential data breaches and non-compliance with data protection regulations.
Code Example
resource "aws_ssm_parameter" "example" {
name = "example"
type = "SecureString"
value = "example_value"
key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-a123-456a-a12b-a123b4cd56ef"
}Remediation
Terraform
- Resource: aws_ssm_parameter
- Arguments: key_id
To fix the issue, you should enable encryption for SSM (System Manager) parameters using KMS Customer Master Key (CMK). CMK allows you to have more flexibility around key management, including who can use the key and for what resources.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0384 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_337 |