> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Manager Secrets Should Be Encrypted With CMKs

### More Info:

Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that Secrets Manager service creates for you, in order to have a more granular control over secret data encryption and decryption process, and meet compliance requirements.

### Risk Level

High

### Address

Security

### Compliance Standards

ISO27001, HIPAA, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Here are the step-by-step instructions to remediate the "Secret Manager Secrets Should Be Encrypted With CMKs" misconfiguration in AWS using the AWS console:

        1. Log in to the AWS Management Console and navigate to the AWS Secrets Manager service.

        2. Click on the secret that needs to be remediated.

        3. Under the "Encryption" section, click on the "Edit" button.

        4. Select the "AWS KMS customer master key (CMK)" option.

        5. Choose the appropriate CMK from the list or create a new one.

        6. Click on the "Save" button to save the changes.

        7. Ensure that the secret is now encrypted with the selected CMK by checking the "Encryption" section.

        That's it! Following these steps should remediate the "Secret Manager Secrets Should Be Encrypted With CMKs" misconfiguration in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Secret Manager Secrets Should Be Encrypted With CMKs" for AWS using AWS CLI, you can follow the below steps:

        1. Open the AWS CLI on your local machine or EC2 instance.

        2. Run the following command to list all the secrets in the Secret Manager:

           ```
           aws secretsmanager list-secrets
           ```

        3. Note down the ARN of the secret that needs to be encrypted with a CMK.

        4. Create a new KMS customer managed key (CMK) by running the following command:

           ```
           aws kms create-key --description "My new CMK"
           ```

        5. Note down the ARN of the newly created CMK.

        6. Run the following command to update the secret to use the newly created CMK:

           ```
           aws secretsmanager update-secret-version-stage --secret-id <ARN-of-secret> --secret-version-stage AWSCURRENT --kms-key-id <ARN-of-new-CMK>
           ```

           Replace `<ARN-of-secret>` with the ARN of the secret that needs to be encrypted with a CMK, and `<ARN-of-new-CMK>` with the ARN of the newly created CMK.

        7. Verify that the secret is now encrypted with the new CMK by running the following command:

           ```
           aws secretsmanager describe-secret --secret-id <ARN-of-secret>
           ```

           This command should return the details of the secret, including the KMS key ID.

        By following the above steps, you can remediate the misconfiguration "Secret Manager Secrets Should Be Encrypted With CMKs" for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "Secret Manager Secrets Should Be Encrypted With CMKs" in AWS using Python, you can follow the below steps:

        1. Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS) if not already created.

        ```python theme={null}
        import boto3

        kms_client = boto3.client('kms')

        response = kms_client.create_key(
            Description='CMK for Secret Manager',
            KeyUsage='ENCRYPT_DECRYPT',
            Origin='AWS_KMS'
        )

        cmk_arn = response['KeyMetadata']['Arn']
        ```

        2. Enable Key Rotation for the CMK created in step 1.

        ```python theme={null}
        import boto3

        kms_client = boto3.client('kms')

        kms_client.enable_key_rotation(
            KeyId='CMK_ARN'
        )
        ```

        3. Update the Secrets in AWS Secret Manager to use the CMK created in step 1 for encryption.

        ```python theme={null}
        import boto3

        secrets_client = boto3.client('secretsmanager')

        response = secrets_client.update_secret(
            SecretId='SECRET_NAME',
            KmsKeyId='CMK_ARN',
            SecretString='{"username":"admin","password":"secret"}'
        )
        ```

        Note: Replace `CMK_ARN` with the ARN of the CMK created in step 1 and `SECRET_NAME` with the name of the Secret in AWS Secret Manager that needs to be updated.

        By following these steps, you can remediate the misconfiguration "Secret Manager Secrets Should Be Encrypted With CMKs" for AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html)
