Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub

Query: elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk

Usage

powerpipe query aws_compliance.query.elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk

Steampipe Tables

aws_elasticache_replication_group
aws_kms_key
Amazon Web Services plugin

SQL

with aws_elasticache_replication_groups as (
  select
    arn,
    at_rest_encryption_enabled,
    title,
    kms_key_id,
    region,
    account_id,
    _ctx
  from
    aws_elasticache_replication_group
  order by
    arn
),
kms_keys as (
  select
    k.arn,
    k.region,
    k.account_id,
    k.enabled
  from
    aws_kms_key as k
)
select
  r.arn as resource,
  case
    when not at_rest_encryption_enabled then 'alarm'
    when at_rest_encryption_enabled
    and kms_key_id is null then 'alarm'
    when at_rest_encryption_enabled
    and kms_key_id is not null
    and k.enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when not at_rest_encryption_enabled then r.title || ' encryption at rest disabled.'
    when at_rest_encryption_enabled
    and kms_key_id is null then r.title || ' encryption at rest not enabled with CMK.'
    when at_rest_encryption_enabled
    and kms_key_id is not null
    and k.enabled then r.title || ' encryption at rest enabled with CMK.'
    else r.title || ' encryption at rest enabled with disabled CMK.'
  end as reason,
  r.region,
  r.account_id
from
  aws_elasticache_replication_groups as r
  left join kms_keys as k on k.arn = r.kms_key_id;

Controls

The query is being used by the following controls: