CloudWatch Log Group Without KMS

  • Query id: 0afbcfe9-d341-4b92-a64c-7e6de0543879
  • Query name: CloudWatch Log Group Without KMS
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

AWS CloudWatch Log groups should be encrypted using KMS
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_cloudwatch_log_group" "negative1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 1
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_cloudwatch_log_group" "negative1" {
  name = "Yada"

  tags = {
    Environment = "production"
    Application = "serviceA"
  }

  retention_in_days = 1
  kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}