Bedrock Agent not encrypted with Customer Master Key (CMK)
Description
This policy detects whether the AWS Bedrock Agent is encrypted with a Customer Master Key (CMK) instead of default encryption. Using a CMK provides greater control over key management and reduces the risk of unauthorized access, thereby enhancing the data security managed by the Bedrock Agent.
Code Example
go
resource "aws_bedrockagent_agent" "bedrock_agent_with_kms_key" {
...
+ customer_encryption_key_arn = aws_kms_key.example.arn
}Remediation
Terraform
- Resource: aws_bedrockagent_agent
- Arguments: customer_encryption_key_arn
Encrypt the Bedrock Agent using a Customer Master Key by setting the `customer_encryption_key_ar`n parameter in your configuration file.
In this Terraform framework example, the `customer_encryption_key_arn`` parameter is added to the Bedrock Agent resource configuration, enabling the use of a Customer Master Key (CMK) for encryption.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0420 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, Terraform |
| Checkov ID | CKV_AWS_373 |