Secret Manager Secrets Should Be Encrypted With CMKs

More Info:

Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that Secrets Manager service creates for you, in order to have a more granular control over secret data encryption and decryption process, and meet compliance requirements.

Risk Level

High

Address

Security

Compliance Standards

ISO27001, HIPAA, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the secrets in the Secret Manager:
```
aws secretsmanager list-secrets
```
Note down the ARN of the secret that needs to be encrypted with a CMK.
Create a new KMS customer managed key (CMK) by running the following command:
```
aws kms create-key --description "My new CMK"
```
Note down the ARN of the newly created CMK.
Run the following command to update the secret to use the newly created CMK:
```
aws secretsmanager update-secret-version-stage --secret-id <ARN-of-secret> --secret-version-stage AWSCURRENT --kms-key-id <ARN-of-new-CMK>
```
Replace <ARN-of-secret> with the ARN of the secret that needs to be encrypted with a CMK, and <ARN-of-new-CMK> with the ARN of the newly created CMK.
Verify that the secret is now encrypted with the new CMK by running the following command:
```
aws secretsmanager describe-secret --secret-id <ARN-of-secret>
```
This command should return the details of the secret, including the KMS key ID.

By following the above steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” in AWS using Python, you can follow the below steps:

Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS) if not already created.

import boto3

kms_client = boto3.client('kms')

response = kms_client.create_key(
    Description='CMK for Secret Manager',
    KeyUsage='ENCRYPT_DECRYPT',
    Origin='AWS_KMS'
)

cmk_arn = response['KeyMetadata']['Arn']

Enable Key Rotation for the CMK created in step 1.

import boto3

kms_client = boto3.client('kms')

kms_client.enable_key_rotation(
    KeyId='CMK_ARN'
)

Update the Secrets in AWS Secret Manager to use the CMK created in step 1 for encryption.

import boto3

secrets_client = boto3.client('secretsmanager')

response = secrets_client.update_secret(
    SecretId='SECRET_NAME',
    KmsKeyId='CMK_ARN',
    SecretString='{"username":"admin","password":"secret"}'
)

Note: Replace CMK_ARN with the ARN of the CMK created in step 1 and SECRET_NAME with the name of the Secret in AWS Secret Manager that needs to be updated.By following these steps, you can remediate the misconfiguration “Secret Manager Secrets Should Be Encrypted With CMKs” for AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Secret Manager Secrets Should Be Encrypted With CMKs

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: