feat(logs): Add KMS key support to LogGroup

packages/@aws-cdk/aws-logs/README.md

@@ -41,11 +41,32 @@ lambda](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.h
 This is implemented using a [CloudFormation custom
 resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cfn-customresource.html)
 which pre-creates the log group if it doesn't exist, and sets the specified log retention period (never expire, by default).
- 
+
 By default, the log group will be created in the same region as the stack. The `logGroupRegion` property can be used to configure
 log groups in other regions. This is typically useful when controlling retention for log groups auto-created by global services that
 publish their log group to a specific region, such as AWS Chatbot creating a log group in `us-east-1`.
-
+
+### Encrypting Log Groups
+
+By default, log group data is always encrypted in CloudWatch Logs. You have the
+option to encrypt log group data using a AWS KMS customer master key (CMK) should
+you not wish to use the default AWS encryption. Keep in mind that if you decide to
+encrypt a log group, any service or IAM identity that needs to read the encrypted
+log streams in the future will require the same CMK to decrypt the data.
+
+Here's a simple example of creating an encrypted Log Group using a KMS CMK.
+
+```ts
+import * as kms from '@aws-cdk/aws-kms';
+
+new LogGroup(this, 'LogGroup', {
+  encryptionKey: new kms.Key(this, 'Key'),
+});
+```
+
+See the AWS documentation for more detailed information about [encrypting CloudWatch
+Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html).
+
 ### Subscriptions and Destinations
 
 Log events matching a particular filter can be sent to either a Lambda function
@@ -100,7 +121,7 @@ the name `Namespace/MetricName`.
 
 #### Exposing Metric on a Metric Filter
 
-You can expose a metric on a metric filter by calling the `MetricFilter.metric()` API. 
+You can expose a metric on a metric filter by calling the `MetricFilter.metric()` API.
 This has a default of `statistic = 'avg'` if the statistic is not set in the `props`.
 
 ```ts

packages/@aws-cdk/aws-logs/lib/log-group.ts

@@ -1,5 +1,6 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as iam from '@aws-cdk/aws-iam';
+import * as kms from '@aws-cdk/aws-kms';
 import { IResource, RemovalPolicy, Resource, Stack, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { LogStream } from './log-stream';
@@ -273,6 +274,13 @@ export enum RetentionDays {
  * Properties for a LogGroup
  */
 export interface LogGroupProps {
+  /**
+   * The KMS Key to encrypt the log group with.
+   *
+   * @default - log group is encrypted with the default master key
+   */
+  readonly encryptionKey?: kms.IKey;
+
   /**
    * Name of the log group.
    *
@@ -363,6 +371,7 @@ export class LogGroup extends LogGroupBase {
     }
 
     const resource = new CfnLogGroup(this, 'Resource', {
+      kmsKeyId: props.encryptionKey?.keyArn,
       logGroupName: this.physicalName,
       retentionInDays,
     });

packages/@aws-cdk/aws-logs/package.json

@@ -86,6 +86,7 @@
   "dependencies": {
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.2.0"
@@ -94,6 +95,7 @@
   "peerDependencies": {
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.2.0"

packages/@aws-cdk/aws-logs/test/test.loggroup.ts

@@ -1,10 +1,30 @@
 import { expect, haveResource, matchTemplate } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
+import * as kms from '@aws-cdk/aws-kms';
 import { CfnParameter, RemovalPolicy, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import { LogGroup, RetentionDays } from '../lib';
 
 export = {
+  'set kms key when provided'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const encryptionKey = new kms.Key(stack, 'Key');
+
+    // WHEN
+    new LogGroup(stack, 'LogGroup', {
+      encryptionKey,
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Logs::LogGroup', {
+      KmsKeyId: { 'Fn::GetAtt': ['Key961B73FD', 'Arn'] },
+
+    }));
+
+    test.done();
+  },
+
   'fixed retention'(test: Test) {
     // GIVEN
     const stack = new Stack();
@@ -326,4 +346,4 @@ function dataDrivenTests(cases: any[][], body: (test: Test, ...args: any[]) => v
     };
   }
   return ret;
-}
+}