Secretsmanager Secret Encrypted With AWS Managed Key
- Query id: b0d3ef3f-845d-4b1b-83d6-63a5a380375f
- Query name: Secretsmanager Secret Encrypted With AWS Managed Key
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 326
- URL: Github
Description¶
Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_secretsmanager_secret" "test2" {
name = "test-cloudrail-1"
kms_key_id = "alias/aws/secretsmanager"
}
Positive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
data "aws_kms_key" "by_alias" {
key_id = "alias/aws/secretsmanager"
}
resource "aws_secretsmanager_secret" "test" {
name = "test-cloudrail-1"
kms_key_id = data.aws_kms_key.by_alias.arn
}