CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Log group data requires mandatory encryption settings in CloudWatch Logs. Developers can optionally use AWS Key Management Service for this encryption. This approach has several limitations:
- If you revoke CloudWatch Logs access to an associated CMK or delete an associated CMK, your encrypted data in CloudWatch Logs can no longer be retrieved.
- You cannot associate a CMK with a log group using the CloudWatch console.
Fix - Buildtime
- Resource: aws_cloudwatch_log_group
- Argument: kms_key_id
📘 Note
Resource's ARN should be used.
resource "aws_cloudwatch_log_group" "pass" {
+ kms_key_id = "someKey"
- Resource: AWS::Logs::LogGroup
- Argument: Properties.KmsKeyId
Type: AWS::Logs::LogGroup
+ KmsKeyId: "someKey"