Closed jo-koe closed 10 months ago
+1
Got ya, thanks for the info @jo-koe . I'll add this to an internal item we're tracking for various security improvement updates.
Hi @jo-koe,
I'm closing this issue as a duplicate - please track this ask under https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/299
Describe the outcome you'd like
The aft-backend- DynamoDB table which is used for the Terraform state lock should be encrypted by a customer managed key stored in KMS like the other tables created by AFT. It could be the same or a new key as for the S3 bucket which stores the Terraform state files.
Is your feature request related to a problem you are currently experiencing? If so, please describe.
We are using the Operational-Best-Practices-for-Database-Services.yaml conformance pack in conjunction with Security Hub which checks if DynamoDB tables are encrypted by a CMK. As this is not the case for the Terraform state lock DynamoDB table, we receive a high severity finding in Security Hub.
Additional context
N/A