CloudWatch log group is not encrypted with customer managed key Affecting CloudWatch service in AWS

Snyk CCSS

Keys and Secrets / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CSA-CCM GDPR ISO-27001 NIST-800-53 SOC-2

Snyk ID SNYK-CC-00008
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

CloudWatch log groups are encrypted by default. However, utilizing customer managed KMS keys gives you more control over key rotation and provides auditing visibility into key usage.

How to fix?

Configure the aws_cloudwatch_log_group kms_key_id field with a KMS key ARN specified for encrypting log data.

Example Configuration

resource "aws_cloudwatch_log_group" "example" {
  kms_key_id = "${aws_kms_key.example.arn}"
  # other required fields here
}

References

Encrypt log data in CloudWatch Logs using AWS Key Management Service

CloudWatch log group is not encrypted with customer managed key Affecting CloudWatch service in AWS

Severity

Description

How to fix?

Example Configuration

References