TF 0092 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
CloudWatch log groups should be encrypted using CMK
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudwatch |
| Provider | AWS |
Description
CloudWatch log groups are not configured to use a customer-managed KMS key (CMK) for encryption, relying instead on default AWS-managed keys. This limits control over encryption settings, such as key rotation and access management.
Impact
Without CMK encryption, sensitive log data is at greater risk of unauthorized access if compromised, and there is reduced visibility and auditing of who accesses log data. This can lead to data leaks and hinder compliance with security policies.
Resolution
Enable CMK encryption of CloudWatch Log Groups