Control: S3 bucket object should be encrypted with KMS CMK
Description
Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.
Usage
Run the control in your terminal:
powerpipe control run terraform_aws_compliance.control.s3_bucket_object_encrypted_with_kms_cmk
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_aws_compliance.control.s3_bucket_object_encrypted_with_kms_cmk --share
SQL
This control uses a named query:
select address as resource, case when attributes_std -> 'kms_key_id' is not null then 'ok' else 'alarm' end as status, split_part(address, '.', 2) || case when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS' else ' not encrypted with KMS' end || '.' as reason , path || ':' || start_linefrom terraform_resourcewhere type = 'aws_s3_bucket_object';