Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs

Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret with a unique data key that is protected by an AWS KMS customer master key (CMK). This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the CMK and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

Risk Level: High
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.TF.AWS.CRY.50
Covered by Spectral: No
Category: Security, Identity, & Compliance


aws_secretsmanager_secret should have kms_key_id


Use the following CLI command to update the kms hey associated with the secret:

aws secretsmanager update-secret --secret-id <value> --kms-key-id <value>

Reference: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/update-secret.html

Amazon Secrets Manager

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

Compliance Frameworks

  • Terraform AWS CIS Foundations