More Info:
Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that Secrets Manager service creates for you, in order to have a more granular control over secret data encryption and decryption process, and meet compliance requirements.Risk Level
HighAddress
SecurityCompliance Standards
ISO27001, HIPAA, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
Here are the step-by-step instructions to remediate the “Secret Manager Secrets Should Be Encrypted With CMKs” misconfiguration in AWS using the AWS console:
- Log in to the AWS Management Console and navigate to the AWS Secrets Manager service.
- Click on the secret that needs to be remediated.
- Under the “Encryption” section, click on the “Edit” button.
- Select the “AWS KMS customer master key (CMK)” option.
- Choose the appropriate CMK from the list or create a new one.
- Click on the “Save” button to save the changes.
- Ensure that the secret is now encrypted with the selected CMK by checking the “Encryption” section.
Using CLI
Using CLI
To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI, you can follow the below steps:
- Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to list all the secrets in the Secret Manager:
- Note down the ARN of the secret that needs to be encrypted with a CMK.
-
Create a new KMS customer managed key (CMK) by running the following command:
- Note down the ARN of the newly created CMK.
-
Run the following command to update the secret to use the newly created CMK:
Replace
<ARN-of-secret>
with the ARN of the secret that needs to be encrypted with a CMK, and<ARN-of-new-CMK>
with the ARN of the newly created CMK. -
Verify that the secret is now encrypted with the new CMK by running the following command:
This command should return the details of the secret, including the KMS key ID.
Using Python
Using Python
To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” in AWS using Python, you can follow the below steps:Note: Replace
- Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS) if not already created.
- Enable Key Rotation for the CMK created in step 1.
- Update the Secrets in AWS Secret Manager to use the CMK created in step 1 for encryption.
CMK_ARN
with the ARN of the CMK created in step 1 and SECRET_NAME
with the name of the Secret in AWS Secret Manager that needs to be updated.By following these steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using Python.