Secret Manager Secrets Should Be Encrypted With CMKs

​

More Info:

​

Risk Level

​

Address

​

Compliance Standards

​

Remediation

​

Using AWS Console

1. Log in to the AWS Management Console using your AWS account credentials.
2. Navigate to the AWS Secrets Manager service by selecting “Secrets Manager” from the services menu.
3. In the Secrets Manager dashboard, click on “Secrets” in the left navigation pane. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “Secret Manager Secrets Should Be Encrypted With CMKs” Policy.)
4. Identify the secrets that are not encrypted with CMKs.
5. Take note of the specific secret identifier(s) that need remediation.
6. Select the checkbox next to the secret(s) you want to remediate.
7. Above the list of secrets, click on the “Edit rotation” button.
8. In the “Configure secret rotation” page, click on the “Edit secret” button.
9. In the “Secret details” section, scroll down to the “Encryption” configuration.
10. Select the option to “Use AWS Key Management Service (KMS) key” for encryption.
11. Choose an appropriate CMK from the dropdown menu or create a new CMK if necessary.
12. Click on the “Save” button to apply the encryption configuration.
13. In the “Configure secret rotation” page, click on the “Next” button.
14. Review and modify the rotation settings as needed and click on the “Next” button.
15. Review the summary of the rotation configuration and click on the “Finish” button.
16. Monitor the rotation process to ensure it is successfully completed for the remediated secrets.
17. Repeat these steps for each secret that is not encrypted with CMKs until all secrets have been remediated.

​

Additional Reading:

• [https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html]