Ensure an AWS Key Management Service (KMS) Customer Managed Key (CMK) is used to encrypt AWS CloudWatch Log Group

HIGH

Description

Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.

Remediation

In AWS Console -

Create an AWS KMS customer managed key.
Set the necessary permissions on the customer managed key.
Associate a log group with a customer managed key.

In Terraform -

In the aws_cloudwatch_log_group resource, set the kms_key_id field to a customer managed key ID.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group

Policy Details

Rule Reference ID: AC_AWS_0451

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_cloudwatch_log_group

Resource Category: Logging and Monitoring

Resource Type: CloudWatch

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0