CloudWatch log groups should be encrypted using CMK
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudwatch |
| Provider | AWS |
Description#
CloudWatch log groups are not configured to use a customer-managed KMS key (CMK) for encryption, relying instead on default AWS-managed keys. This limits control over encryption settings, such as key rotation and access management.
Impact#
Without CMK encryption, sensitive log data is at greater risk of unauthorized access if compromised, and there is reduced visibility and auditing of who accesses log data. This can lead to data leaks and hinder compliance with security policies.
Resolution#
Enable CMK encryption of CloudWatch Log Groups