kms_key_arn
KMS key ARN for log encryption. When specified, the CloudWatch Log Group will be encrypted using the provided KMS key.
Example
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"Overview
When specified, the CloudWatch Log Group will be encrypted using the provided KMS key. This enables encryption at rest for all log data.
Example Value
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
KMS Key Requirements
The KMS key policy must allow CloudWatch Logs to use the key:
{
"Effect": "Allow",
"Principal": {
"Service": "logs.region.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:*"
}
}
}
Best Practices
- Use customer-managed keys for compliance requirements
- Ensure key policy allows CloudWatch Logs service
- Consider key rotation policies
- Use separate keys for different environments or sensitivity levels
Full Module Example
module "cloudwatch_logs" {
source = "registry.patterneddesigns.ca/essentials/cloudwatch-logs/aws"
version = "1.0.0"
# kms_key_arn
kms_key_arn = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
# Other required inputs
log_group_name = "/aws/lambda/my-function"
}