More Info:

Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that Secrets Manager service creates for you, in order to have a more granular control over secret data encryption and decryption process, and meet compliance requirements.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the “Secret Manager Secrets Should Be Encrypted With CMKs” misconfiguration in AWS using the AWS console:
  1. Log in to the AWS Management Console and navigate to the AWS Secrets Manager service.
  2. Click on the secret that needs to be remediated.
  3. Under the “Encryption” section, click on the “Edit” button.
  4. Select the “AWS KMS customer master key (CMK)” option.
  5. Choose the appropriate CMK from the list or create a new one.
  6. Click on the “Save” button to save the changes.
  7. Ensure that the secret is now encrypted with the selected CMK by checking the “Encryption” section.
That’s it! Following these steps should remediate the “Secret Manager Secrets Should Be Encrypted With CMKs” misconfiguration in AWS.

To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to list all the secrets in the Secret Manager: 
    aws secretsmanager list-secrets
  3. Note down the ARN of the secret that needs to be encrypted with a CMK.
  4. Create a new KMS customer managed key (CMK) by running the following command: 
    aws kms create-key --description "My new CMK"
  5. Note down the ARN of the newly created CMK.
  6. Run the following command to update the secret to use the newly created CMK: 
    aws secretsmanager update-secret-version-stage --secret-id <ARN-of-secret> --secret-version-stage AWSCURRENT --kms-key-id <ARN-of-new-CMK>
    Replace <ARN-of-secret> with the ARN of the secret that needs to be encrypted with a CMK, and <ARN-of-new-CMK> with the ARN of the newly created CMK.
  7. Verify that the secret is now encrypted with the new CMK by running the following command: 
    aws secretsmanager describe-secret --secret-id <ARN-of-secret>
    This command should return the details of the secret, including the KMS key ID.
By following the above steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI.
To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” in AWS using Python, you can follow the below steps:
  1. Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS) if not already created.
import boto3

kms_client = boto3.client('kms')

response = kms_client.create_key(
    Description='CMK for Secret Manager',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

cmk_arn = response['KeyMetadata']['Arn']
  1. Enable Key Rotation for the CMK created in step 1.
import boto3

kms_client = boto3.client('kms')

kms_client.enable_key_rotation(
    KeyId='CMK_ARN'
)
  1. Update the Secrets in AWS Secret Manager to use the CMK created in step 1 for encryption.
import boto3

secrets_client = boto3.client('secretsmanager')

response = secrets_client.update_secret(
    SecretId='SECRET_NAME',
    KmsKeyId='CMK_ARN',
    SecretString='{"username":"admin","password":"secret"}'
)
Note: Replace CMK_ARN with the ARN of the CMK created in step 1 and SECRET_NAME with the name of the Secret in AWS Secret Manager that needs to be updated.By following these steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using Python.

Additional Reading: