CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.
Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Enable CMK encryption of CloudWatch Log Groups
The following example will fail the aws-cloudwatch-log-group-customer-key check.
The following example will pass the aws-cloudwatch-log-group-customer-key check.