Ensure secrets are encrypted using AWS KMS key for AWS Secrets Manager

MEDIUM

Description

AWS Secrets Manager secrets are not encrypted at rest. This could impact the confidentiality of data or may expose secrets stored in secrets manager.

Remediation

In AWS Console -

Sign in to the AWS Console and go to the Secrets Manager dashboard.
Select the secret you wish to edit.
In Secret Details, select the Actions drop down and choose Edit encryption key.
Select the key to use for encryption and select Save.

In Terraform -

In the aws_secretsmanager_secret resource, set 'kms_key_id' to a valid AWS KMS key.

References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id

Policy Details

Rule Reference ID: AC_AWS_0465

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_secretsmanager_secret

Resource Category: Management

Resource Type: Secrets Manager

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
ISO-27001