# cloudwatch-log-group-encrypted
<a name="cloudwatch-log-group-encrypted"></a>

Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON\_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter. 



**Identifier:** CLOUDWATCH\_LOG\_GROUP\_ENCRYPTED

**Resource Types:** AWS::Logs::LogGroup

**Trigger type:** Periodic

**AWS Region:** All supported AWS regions

**Parameters:**

KmsKeyId (Optional)Type: String  
Amazon Resource Name (ARN) of the ID for the KMS key that is used to encrypt the log group.

## AWS CloudFormation template
<a name="w2aac20c16c17b7d353c19"></a>

To create AWS Config managed rules with AWS CloudFormation templates, see [Creating AWS Config Managed Rules With AWS CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).