Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs
Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret with a unique data key that is protected by an AWS KMS customer master key (CMK). This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the CMK and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.
Risk Level: High
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.AWS.CRY.50
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
SecretManager should not have kmsKeyId isEmpty()
REMEDIATION
From console
- Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager
- From the list of secrets, choose your secret.
- On the secret details page, To update the encryption key, in the Secrets details section, choose Actions, and then choose Edit encryption key.
- Select the KMS key or aws/secretsmanager.
From Command Line
- Use the following CLI command to update the kms hey associated with the secret:
aws secretsmanager update-secret --secret-id MY_SECRET_ID --kms-key-id KMS_KEY_ID
From TF
resource "aws_secretsmanager_secret" "example" {
name = "example"
...
kms_key_id = "KMS_KEY_ID"
...
}
References
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/update-secret.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/update-secret.html
Amazon Secrets Manager
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago