Operational-Best-Practices-for-CMMC-2.0-Level-2: Conflicting Config Rules

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.

http://aws.amazon.com/config/

Creative Commons Zero v1.0 Universal

1.58k stars 851 forks source link

Operational-Best-Practices-for-CMMC-2.0-Level-2: Conflicting Config Rules #400

Open mikedizon opened 1 year ago

mikedizon commented 1 year ago

S3BucketLoggingEnabled and S3DefaultEncryptionKms seem to conflict with one another.

AWS-KMS (SSE-KMS) can not be used on the target bucket for Server Access Logging, which causes S3_DEFAULT_ENCRYPTION_KMS to report as being non compliant. There should be a way to specify which buckets can be exempted from this rule.

pnutshellmenace commented 1 year ago

I am running into a similar conflict with ElbLoggingEnabled and S3DefaultEncryptionKms. With access logs enabled on an application load balancer, the S3 bucket has to use Amazon S3-managed keys.

From: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html

The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3).