terraform.aws.security.aws-cloudwatch-log-group-unencrypted.aws-cloudwatch-log-group-unencrypted
semgrepAuthor
unknown
Download Count*
License
By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Run Locally
Run in CI
Defintion
rules:
- id: aws-cloudwatch-log-group-unencrypted
patterns:
- pattern: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_cloudwatch_log_group" $ANYTHING {
...
kms_key_id = ...
...
}
message: By default, AWS CloudWatch Log Group is encrypted using AWS-managed
keys. However, for added security, it's recommended to configure your own
AWS KMS encryption key to protect your log group in CloudWatch. You can
either create a new aws_kms_key resource or use the ARN of an existing key
in your AWS account to do so.
languages:
- hcl
severity: WARNING
metadata:
owasp:
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
technology:
- aws
- terraform
category: security
references:
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
Examples
aws-cloudwatch-log-group-unencrypted.tf
resource "aws_cloudwatch_log_group" "pass" {
retention_in_days = 1
kms_key_id = "someKey"
}
# ruleid: aws-cloudwatch-log-group-unencrypted
resource "aws_cloudwatch_log_group" "fail" {
retention_in_days = 1
}
Short Link: https://sg.run/Pg6Y