Timestream database is not encrypted with KMS CMK
Description
Timestream encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.
AWS KMS is required for encryption at rest in Timestream. Using a customer managed key in KMS to encrypt your Timestream data is recommended, in order to have more control over the permissions and lifecycle of your keys, including the ability to have them automatically rotated on an annual basis.
Fix - Buildtime
Terraform
- Resource: aws_timestreamwrite_database
- Argument: kms_key_id
```go aws_s3_bucket.test.tf resource "aws_timestreamwrite_database" "test" { ... + kms_key_id = var.kms_key_id }
## CloudFormation
- **Resource**: AWS::Timestream::Database
- **Argument**: Properties.KmsKeyId
```yaml
Type: AWS::Timestream::Database
Properties:
...
+ KmsKeyId: kms-key-id