Control: ECS cluster logging should be encrypted with KMS CMK
Description
This control checks whether logging is encrypted with KMS CMK for the ECS cluster.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.ecs_cluster_logging_encrypted_with_kms_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.ecs_cluster_logging_encrypted_with_kms_cmk --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') <> 'NONE' and (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'kms_key_id') is not null and ((attributes_std -> 'configuration' -> 'execute_command_configuration' -> 'log_configuration' ->> 'cloud_watch_encryption_enabled')::boolean or (attributes_std -> 'configuration' -> 'execute_command_configuration' -> 'log_configuration' ->> 's3_bucket_encryption_enabled')::boolean) then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') <> 'NONE' and (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'kms_key_id') is not null and ((attributes_std -> 'configuration' -> 'execute_command_configuration' -> 'log_configuration' ->> 'cloud_watch_encryption_enabled')::boolean or (attributes_std -> 'configuration' -> 'execute_command_configuration' -> 'log_configuration' ->> 's3_bucket_encryption_enabled')::boolean) then ' cluster logging encrypted with kms cmk' when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') = 'NONE' or (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') is null then ' cluster logging disabled' else ' cluster logging not encrypted with kms cmk' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_ecs_cluster';