Open ccggeo opened 4 years ago
Is this being looked at?
Bump
my yearly bump
Hi - This rule is intended to specifically check if a customer managed key is being used for the encryption. See here for the rule docs: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html
Log groups are showing as non-complaint in encryption for AWS config despite being encrypted by default
The rule will check to see a KMS key is present to check compliance. But the docs clearly state you do not need a KMS key, as they are all encrpyted by default.
Using a key as the assertion for encryption is wrong and leads to false positives in auditing for encrypted log groups