search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.6k stars 854 forks source link

AWS config asserts non-compliance on Cloudwatch log groups despite being encrypted by default #337

Open ccggeo opened 4 years ago

ccggeo commented 4 years ago

Log groups are showing as non-complaint in encryption for AWS config despite being encrypted by default

The rule will check to see a KMS key is present to check compliance. But the docs clearly state you do not need a KMS key, as they are all encrpyted by default.

Using a key as the assertion for encryption is wrong and leads to false positives in auditing for encrypted log groups

ccggeo commented 4 years ago

Is this being looked at?

ccggeo commented 3 years ago

Bump

ccggeo commented 2 years ago

my yearly bump

ghost commented 2 years ago

Hi - This rule is intended to specifically check if a customer managed key is being used for the encryption. See here for the rule docs: https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html