log-group-customer-key
Explanation
CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.
Possible Impact
Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Suggested Resolution
Enable CMK encryption of CloudWatch Log Groups
Insecure Example
The following example will fail the AVD-AWS-0017 check.
---
Resources:
BadExample:
Type: AWS::Logs::LogGroup
Properties:
KmsKeyId: ""
LogGroupName: "aws/lambda/badExample"
RetentionInDays: 30
Secure Example
The following example will pass the AVD-AWS-0017 check.
---
Resources:
GoodExample:
Type: AWS::Logs::LogGroup
Properties:
KmsKeyId: "arn:aws:kms:us-west-2:111122223333:key/lambdalogging"
LogGroupName: "aws/lambda/goodExample"
RetentionInDays: 30