SecurityConfig / CloudWatchConfig / LogGroupsConfig / EncryptionConfig

CloudWatch log group encryption configuration. Use this configuration to enable encryption for a log group.

Example

Key name reference example:

kmsKeyName: key1

Solution-managed KMS key example:

useLzaManagedKey: true

Existing KMS key reference:

kmsKeyArn: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Hierarchy

  • EncryptionConfig

Implements

Constructors

Properties

kmsKeyArn: undefined | string = undefined

(OPTIONAL) Reference the KMS Key Arn that is used to encrypt the AWS CloudWatch Logs Group. This should be a KMS Key that is not managed by Landing Zone Accelerator.

Remarks

CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.

Note: If using the kmsKeyArn parameter to encrypt your AWS CloudWatch Logs Groups. It's important that the logs service is provided the necessary cryptographic API calls to the CMK. For more information on how to manage the CMK for logs service access, please review the documentation.

See

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html

kmsKeyName: undefined | string = undefined

(OPTIONAL) Use this property to reference a KMS Key Name that is created by Landing Zone Accelerator.

Remarks

CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.

This is the logical name property of the key as defined in security-config.yaml.

See

KeyConfig

useLzaManagedKey: undefined | boolean = undefined

(OPTIONAL) Set this property to true if you would like to use the default CloudWatch Logs KMS CMK that is deployed by Landing Zone Accelerator.

Remarks

CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.

This key is deployed to all accounts managed by the solution by default.

Generated using TypeDoc