terraform.aws.best-practice.missing-cloudwatch-log-group-kms-key.missing-cloudwatch-log-group-kms-key
semgrepAuthor
unknown
Download Count*
License
The AWS CloudWatch Log group is missing a KMS key. While Log group data is always encrypted, you can optionally use a KMS key instead. Add kms_key_id = "yourKey" to your resource block.
Run Locally
Run in CI
Defintion
rules:
- id: missing-cloudwatch-log-group-kms-key
patterns:
- patterns:
- pattern: resource "aws_cloudwatch_log_group" $ANYTHING {...}
- pattern-not-inside: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
kms_key_id = ...
...
}
message: The AWS CloudWatch Log group is missing a KMS key. While Log group data
is always encrypted, you can optionally use a KMS key instead. Add
`kms_key_id = "yourKey"` to your resource block.
languages:
- hcl
severity: WARNING
metadata:
technology:
- aws
- terraform
category: best-practice
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
missing-cloudwatch-log-group-kms-key.tf
# ruleid: missing-cloudwatch-log-group-kms-key
resource "aws_cloudwatch_log_group" "fail" {
retention_in_days = 1
}
# ok: missing-cloudwatch-log-group-kms-key
resource "aws_cloudwatch_log_group" "pass" {
retention_in_days = 1
kms_key_id = "someKey"
}
Short Link: https://sg.run/bX2d