CloudWatch log groups should be encrypted using CMK
CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.
Impact
Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.