Control: Backup vault encryption at rest enabled

Description

Checks if AWS Backup vaults have encryption enabled. The rule is non complaint if the vault does not have encryption enabled.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.backup_vault_encryption_at_rest_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.backup_vault_encryption_at_rest_enabled --share

SQL

This control uses a named query:

select
  address as resource,
  case
    when (attributes_std -> 'kms_key_arn') is null then 'alarm'
    else 'ok'
  end status,
  split_part(address, '.', 2) || case
    when (attributes_std -> 'kms_key_arn') is null then ' encryption at rest disabled'
    else ' encryption at rest enabled'
  end || '.' reason
  
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'aws_backup_vault';

Control: Backup vault encryption at rest enabled

Description

Usage

SQL

Tags