AWS089 - CloudWatch log groups should be encrypted using CMK

Explanation

CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.

Insecure Example

The following example will fail the AWS089 check.

resource "aws_cloudwatch_log_group" "bad_example" {
	name = "bad_example"

}

Secure Example

The following example will pass the AWS089 check.

resource "aws_cloudwatch_log_group" "good_example" {
	name = "good_example"

	kms_key_id = aws_kms_key.log_key.arn
}