Secretsmanager Secret Without KMS

  • Query id: a2f548f2-188c-4fff-b172-e9a6acb216bd
  • Query name: Secretsmanager Secret Without KMS
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_secretsmanager_secret" "example" {
  name = "example"
  kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}