terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

CloudWatch log groups encrypted using KMS

Open jo-koe opened this issue 1 year ago • 1 comments

Describe the outcome you'd like Currently none of the CloudWatch log groups which are created by AFT are encrypted by a customer managed key stored in KMS. We would like to have a variable to enable this encryption by a KMS CMK which should also be created as part of this solution.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

We are using the Operational-Best-Practices-for-CloudWatch conformance pack in conjunction with Security Hub which checks if log groups are encrypted by a CMK. As this is not the case for all the log groups created by AFT, we receive a lot of high severity findings in Security Hub.

Additional context

N/A

jo-koe avatar Oct 11 '23 10:10 jo-koe

Hi @jo-koe , we've noted this and created a backlog item for us to look at. Thanks!

Sanjan611 avatar Oct 13 '23 21:10 Sanjan611