Ensure that Timestream database is encrypted with KMS CMK
ID |
timestream_db_encrypted_cmk |
Severity |
high |
Vendor |
AWS |
Resource |
Timestream |
Tags |
reachable |
Description
Amazon Timestream is a fast, scalable, and serverless time series database service for IoT and operational applications that makes it easy to store and analyze trillions of events per day up to 1,000 times faster and at as little as 1/10th the cost of relational databases.
Timestream encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS).
It’s recommended to encrypt using CMK keys. Using your own KMS key gives you more flexibility, including the ability to create, rotate, and disable KMS keys.
Examples
CloudFormation
{
"Resources": {
"MyTimestreamDatabase": { (1)
"Type": "AWS::Timestream::Database",
"Properties": {
"DatabaseName": "timestream"
}
}
}
}| 1 | Missing KmsKeyId property means that encryption is performed using Amazon managed encryption keys. |
Resources:
TimestreamDatabaseEnabled: (1)
Type: AWS::Timestream::Database
Properties:
DatabaseName: timestream| 1 | Missing KmsKeyId property means that encryption is performed using Amazon managed encryption keys. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyTimestreamDatabase": {
"Type": "AWS::Timestream::Database",
"Properties": {
"DatabaseName": "timestream",
"KmsKeyId": "kms-key-id" (1)
}
}
}
}| 1 | KmsKeyId set means CMK are used for the encryption. |
Resources:
TimestreamDatabaseEnabled:
Type: AWS::Timestream::Database
Properties:
DatabaseName: timestream
KmsKeyId: kms-key-id (1)| 1 | KmsKeyId set means CMK are used for the encryption. |