Skip to content

feat: add encryption at rest for Control Tower compliance #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
omercnet wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

feat: add encryption at rest for Control Tower compliance #62

omercnet wants to merge 1 commit into from

Conversation

@omercnet
Copy link

@omercnet omercnet commented Dec 30, 2025 

┌─────────────────────────────────────────────────────┐
│  🔐  ENCRYPTION AT REST  🔐                         │
│                                                     │
│  Control Tower Compliance for AWS Resources         │
└─────────────────────────────────────────────────────┘

Summary

Fixes #61

Adds encryption at rest configuration to AWS resources for Control Tower compliance.

Changes

Resource File Encryption
IssueDetectionQueue infra/issues.ts SQS managed SSE
BillingQueue infra/billing.ts SQS managed SSE
IssueStream infra/issues.ts KMS (alias/aws/kinesis)
Storage infra/storage.ts AES256
PublicStorage_* infra/storage.ts AES256
SubscriberLogGroup infra/issues.ts (CFN) Optional KMS parameter

Control Tower Controls Addressed

  • CT.SQS.PR.2 - SQS queues encrypted at rest
  • CT.KINESIS.PR.1 - Kinesis streams encrypted at rest
  • CT.S3.PR.1 - S3 buckets with server-side encryption
  • CT.CLOUDWATCH.PR.2 - CloudWatch log groups (optional KMS)

CloudFormation Template

The customer-deployed CloudFormation template now includes an optional logGroupKmsKeyArn parameter. Customers can provide their own KMS key ARN if they require log group encryption for compliance. If left empty, encryption is not applied (maintains backwards compatibility).

Parameters:
  logGroupKmsKeyArn:
    Type: String
    Default: ""
    Description: Optional KMS key ARN for encrypting CloudWatch logs at rest.

Testing

  • TypeScript compiles without errors
  • Manual deployment test (requires AWS account)

@omercnet
feat: add encryption at rest for Control Tower compliance
0fe4faa 
Fixes anomalyco#61

- Enable SQS managed SSE on IssueDetectionQueue and BillingQueue
- Add KMS encryption to IssueStream (Kinesis)
- Add AES256 server-side encryption to Storage and PublicStorage buckets
- Add optional KMS key parameter for CloudFormation LogGroup encryption
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add encryption at rest for Control Tower compliance

1 participant

@omercnet