The DynamoDB table (and its replica) used as a state lock table for Terraform OSS back ends should be encrypted using a customer-managed KMS key, presumably the same KMS CMK as is used for the Terraform state in S3. The DynamoDB tables storing other AFT data are already encrypted in this way.
Is your feature request related to a problem you are currently experiencing? If so, please describe.
The default server-side encryption used flags up in external security testing of our AWS Landing Zone. Many third-party sets of security guidelines and best practices include this requirement, and for good reason.
Additional context
This can be remediated, I think, by the following change around line 271 of modules/aft-backend/main.tf:
Describe the outcome you'd like
The DynamoDB table (and its replica) used as a state lock table for Terraform OSS back ends should be encrypted using a customer-managed KMS key, presumably the same KMS CMK as is used for the Terraform state in S3. The DynamoDB tables storing other AFT data are already encrypted in this way.
Is your feature request related to a problem you are currently experiencing? If so, please describe.
The default server-side encryption used flags up in external security testing of our AWS Landing Zone. Many third-party sets of security guidelines and best practices include this requirement, and for good reason.
Additional context
This can be remediated, I think, by the following change around line 271 of modules/aft-backend/main.tf:
IAM permissions are already granted for the key to the role using the Terraform OSS back end.