# cloudwatch-log-group-encrypted
<a name="cloudwatch-log-group-encrypted"></a>

Checks if Amazon CloudWatch Log Groups are encrypted with any Amazon KMS key or a specified Amazon KMS key Id. The rule is NON\$1COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter. 



**Identifier:** CLOUDWATCH\$1LOG\$1GROUP\$1ENCRYPTED

**Resource Types:** AWS::Logs::LogGroup

**Trigger type:** Periodic

**Amazon Web Services Region:** All supported Amazon regions

**Parameters:**

KmsKeyId (Optional)Type: String  
Amazon Resource Name (ARN) of the ID for the KMS key that is used to encrypt the log group.

## Amazon CloudFormation template
<a name="w2aac20c16c17b7d353c19"></a>

To create Amazon Config managed rules with Amazon CloudFormation templates, see [Creating Amazon Config Managed Rules With Amazon CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).