Secrets Manager should use customer managed keys

Explanation

Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK’s should be used explicitly.

Possible Impact

Using AWS managed keys reduces the flexibility and control over the encryption key

Suggested Resolution

Use customer managed keys

Insecure Example

The following example will fail the AVD-AWS-0098 check.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of secret
Resources:
  BadSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: "secret"
      Name: "blah"
      SecretString: "don't tell anyone"

Secure Example

The following example will pass the AVD-AWS-0098 check.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of ingress rule
Resources:
  Secret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: "secret"
      KmsKeyId: "my-key-id"
      Name: "blah"
      SecretString: "don't tell anyone"


Getting Started
Services