Ensure that Secrets Manager secret is encrypted using KMS CMK

ID

secrets_manager_encrypted_cmk

Severity

low

Vendor

AWS

Resource

Secrets Manager

Tags

reachable

Description

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can’t be compromised by someone examining your code, because the secret no longer exists in the code.

Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.

By default, secrets manager secrets are encrypted using the AWS-managed key aws/secretsmanager. Alternatively, you can specify a customer managed key which gives you more flexibility, including the ability to create, rotate, and disable KMS keys.

Learn more about this topic at Secret encryption and decryption in AWS Secrets Manager.

Examples

CloudFormation

{
  "Resources": {
    "MySecretB": { (1)
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Name": "MySecretForAppB",
        "Description": "This secret has a hardcoded password in SecretString (use GenerateSecretString instead)",
        "SecretString": "{\"username\":\"MasterUsername\",\"password\":\"secret-password\"}",
        "Tags": [
          {
            "Key": "AppName",
            "Value": "AppB"
          }
        ]
      }
    }
  }
}
1 KmsKeyId not set means default KMS Keys are used to perform encryption. 
Resources:
  MySecretB: (1)
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Name: MySecretForAppB
      Description: This secret has a hardcoded password in SecretString (use GenerateSecretString instead)
      SecretString: '{"username":"MasterUsername","password":"secret-password"}'
      Tags:
        - Key: AppName
          Value: AppB
1 KmsKeyId not set means default KMS Keys are used to perform encryption.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MySecretB": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Name": "MySecretForAppB",
        "Description": "This secret has a hardcoded password in SecretString (use GenerateSecretString instead)",
        "KmsKeyId" : "KMS-KEY-ARN", (1)
        "Tags": [
          {
            "Key": "AppName",
            "Value": "AppB"
          }
        ]
      }
    }
  }
}
1 KmsKeyId set means customer KMS Keys are used to perform encryption. 
Resources:
  MySecretB:
    Type: 'AWS::SecretsManager::Secret'
    Properties:
      Name: MySecretForAppB
      Description: This secret has a hardcoded password in SecretString (use GenerateSecretString instead)
      KmsKeyId: KMS-KEY-ARN (1)
1 KmsKeyId set means customer KMS Keys are used to perform encryption.