Secrets Manager Should Specify KmsKeyId

  • Query id: c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22
  • Query name: Secrets Manager Should Specify KmsKeyId
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Secret Management
  • URL: Github

Description

Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  SecretsManagerSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: String
      GenerateSecretString:
        GenerateSecretString
      Name: String
      SecretString:
        String
      Tags:
        - Tag
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "SecretsManagerSecret": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Name": "String",
        "SecretString": "String",
        "Tags": [
          "Tag"
        ],
        "Description": "String",
        "GenerateSecretString": "GenerateSecretString"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  SecretsManagerSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: String
      GenerateSecretString:
        GenerateSecretString
      KmsKeyId: String
      Name: String
      SecretString:
        String
      Tags:
        - Tag
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "SecretsManagerSecret": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "String",
        "GenerateSecretString": "GenerateSecretString",
        "KmsKeyId": "String",
        "Name": "String",
        "SecretString": "String",
        "Tags": [
          "Tag"
        ]
      }
    }
  }
}