search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

CloudWatch log groups encrypted using KMS #396

Open jo-koe opened 8 months ago

jo-koe commented 8 months ago

Describe the outcome you'd like Currently none of the CloudWatch log groups which are created by AFT are encrypted by a customer managed key stored in KMS. We would like to have a variable to enable this encryption by a KMS CMK which should also be created as part of this solution.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

We are using the Operational-Best-Practices-for-CloudWatch conformance pack in conjunction with Security Hub which checks if log groups are encrypted by a CMK. As this is not the case for all the log groups created by AFT, we receive a lot of high severity findings in Security Hub.

Additional context

N/A

Sanjan611 commented 8 months ago

Hi @jo-koe , we've noted this and created a backlog item for us to look at. Thanks!