AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK)
Description
This policy detects whether AWS CodeGuru Reviewer repository associations use Customer Managed Key (CMK) for encryption. CMKs empower users with granular control over key management, including policy setting, usage permissions, and detailed monitoring of access and key rotations. Default encryption options may not provide the level of security and compliance required for sensitive environments. Enforcing the use of CMKs for AWS CodeGuru Reviewer repository associations enables organizations to maintain strict access control and auditing, strengthening overall security posture.
Code Example
resource "aws_codegurureviewer_repository_association" "example" {
...
kms_key_details {
+ encryption_option = "CUSTOMER_MANAGED_CMK"
}
}Remediation
Terraform
- Resource: aws_codegurureviewer_repository_association
- Arguments: kms_key_details
To mitigate this issue, ensure that the `encryption_option` parameter in the `kms_key_details` block is set to `CUSTOMER_MANAGED_CMK`. This ensures that a CMK is used for encryption.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0428 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, Terraform |
| Checkov ID | CKV_AWS_381 |