Readonly
kms(OPTIONAL) Reference the KMS Key Arn that is used to encrypt the AWS CloudWatch Logs Group. This should be a KMS Key that is not managed by Landing Zone Accelerator.
CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.
Note: If using the kmsKeyArn
parameter to encrypt your AWS CloudWatch Logs Groups. It's important that the logs
service is provided the necessary cryptographic API calls to the CMK. For more information on how to manage the
CMK for logs service access, please review the documentation.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html
Readonly
kms(OPTIONAL) Use this property to reference a KMS Key Name that is created by Landing Zone Accelerator.
CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.
This is the logical name
property of the key as defined in security-config.yaml.
Readonly
use(OPTIONAL) Set this property to true
if you would like to use the
default CloudWatch Logs KMS CMK that is deployed by Landing Zone Accelerator.
CAUTION: When importing an existing AWS CloudWatch Logs Group that has encryption enabled. If specifying the encryption configuration with any KMS parameter under the encryption configuration, Landing Zone Accelerator on AWS will associate a new key with the log group. It is recommend to verify if any processes or applications are using the previous key, and has access to the new key before updating.
This key is deployed to all accounts managed by the solution by default.
Generated using TypeDoc
SecurityConfig / CloudWatchConfig / LogGroupsConfig / EncryptionConfig
CloudWatch log group encryption configuration. Use this configuration to enable encryption for a log group.
Example
Key name reference example:
Solution-managed KMS key example:
Existing KMS key reference: