Secrets Manager Should Specify KmsKeyId
- Query id: c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22
- Query name: Secrets Manager Should Specify KmsKeyId
- Platform: CloudFormation
- Severity: Medium
- Category: Secret Management
- URL: Github
Description¶
Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
SecretsManagerSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: String
GenerateSecretString:
GenerateSecretString
Name: String
SecretString:
String
Tags:
- Tag
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"SecretsManagerSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "String",
"SecretString": "String",
"Tags": [
"Tag"
],
"Description": "String",
"GenerateSecretString": "GenerateSecretString"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
SecretsManagerSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: String
GenerateSecretString:
GenerateSecretString
KmsKeyId: String
Name: String
SecretString:
String
Tags:
- Tag
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"SecretsManagerSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Description": "String",
"GenerateSecretString": "GenerateSecretString",
"KmsKeyId": "String",
"Name": "String",
"SecretString": "String",
"Tags": [
"Tag"
]
}
}
}
}