Ensure data encryption is enabled for AWS X-Ray

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

Sign in to AWS Console and go to the X-Ray console.
Select Encryption.
Select Use a KMS key.
Select Manually enter a key ARN and enter a KMS Key ARN.
Select Apply.

In Terraform -

In the aws_xray_encryption_config resource, set the 'type' attribute to 'KMS'.

References:
https://docs.aws.amazon.com/xray/latest/devguide/xray-console-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/xray_encryption_config

Policy Details

Rule Reference ID: AC_AWS_0374

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_xray_encryption_config

Resource Category: Analytics

Resource Type: X-Ray

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001