AWS-SM-Secrets-uses-default-KMS-Key-for-encryption

Severity: High

Description: This control ensures that all Secrets in AWS secret manager are encrypted using KMS CMK. AWS Secrets Manager service provides secure management of information such as database credentials, passwords, third-party API keys, and arbitrary text. This information is termed as secrets and can be retrieved from centralized storage whenever needed. Use of KMS CMK is recommended to encrypt the secrets when stored at rest.

Remediation Steps:

Perform following to set CMK for SM secrets :

1. Login to the AWS Management Console at https://console.aws.amazon.com

2. Go to Secret Manager in services

3. Click on the secret to be modified.

4. Click on Actions and select Edit encryption key.

5. Select an appropriate KMS Customer Managed Key (CMK) from the list.

6. Check Create new version of secret with new encryption key option.

7. Click Save.

Important:

Reference:

• Data protection in AWS Secrets Manager - AWS Secrets Manager

• update-secret — AWS CLI 1.36.4 Command Reference