LOW
Source
Trivy
ID
AVD-AWS-0017

CloudWatch log groups should be encrypted using CMK

CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.

Impact

Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.

Follow the appropriate remediation steps below to resolve the issue.

Enable CMK encryption of CloudWatch Log Groups

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::Logs::LogGroup
    Properties:
      KmsKeyId: "arn:aws:kms:us-west-2:111122223333:key/lambdalogging"
      LogGroupName: "aws/lambda/goodExample"
      RetentionInDays: 30

Enable CMK encryption of CloudWatch Log Groups

1
2
3
4
5
resource "aws_cloudwatch_log_group" "good_example" {
  name = "good_example"
  
  kms_key_id = aws_kms_key.log_key.arn
}