Secret encrypted kms cmk remediation

Using Console

Using CLI

To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the secrets in the Secret Manager:
```
aws secretsmanager list-secrets
```
Note down the ARN of the secret that needs to be encrypted with a CMK.
Create a new KMS customer managed key (CMK) by running the following command:
```
aws kms create-key --description "My new CMK"
```
Note down the ARN of the newly created CMK.
Run the following command to update the secret to use the newly created CMK:
```
aws secretsmanager update-secret-version-stage --secret-id <ARN-of-secret> --secret-version-stage AWSCURRENT --kms-key-id <ARN-of-new-CMK>
```
Replace <ARN-of-secret> with the ARN of the secret that needs to be encrypted with a CMK, and <ARN-of-new-CMK> with the ARN of the newly created CMK.
Verify that the secret is now encrypted with the new CMK by running the following command:
```
aws secretsmanager describe-secret --secret-id <ARN-of-secret>
```
This command should return the details of the secret, including the KMS key ID.

By following the above steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” in AWS using Python, you can follow the below steps:

Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS) if not already created.

import boto3

kms_client = boto3.client('kms')

response = kms_client.create_key(
    Description='CMK for Secret Manager',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

cmk_arn = response['KeyMetadata']['Arn']

Enable Key Rotation for the CMK created in step 1.

import boto3

kms_client = boto3.client('kms')

kms_client.enable_key_rotation(
    KeyId='CMK_ARN'
)

Update the Secrets in AWS Secret Manager to use the CMK created in step 1 for encryption.

import boto3

secrets_client = boto3.client('secretsmanager')

response = secrets_client.update_secret(
    SecretId='SECRET_NAME',
    KmsKeyId='CMK_ARN',
    SecretString='{"username":"admin","password":"secret"}'
)

Note: Replace CMK_ARN with the ARN of the CMK created in step 1 and SECRET_NAME with the name of the Secret in AWS Secret Manager that needs to be updated.By following these steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Secret encrypted kms cmk remediation

Triage and Remediation

Remediation