diff --git a/main.tf b/main.tf index aa37d35..5a6d635 100644 --- a/main.tf +++ b/main.tf @@ -1061,6 +1061,9 @@ resource "aws_cloudwatch_log_group" "agentless_scan_log_group" { count = var.regional ? 1 : 0 name = "/ecs/${aws_ecs_cluster.agentless_scan_ecs_cluster[0].name}" retention_in_days = 14 + # the KMS will need to allow the log group to use it. + # See https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html + kms_key_id = var.secretsmanager_kms_key_id } resource "aws_cloudwatch_event_rule" "agentless_scan_event_rule" {