Secretsmanager Secret Without KMS

Query id: bed9762b-9bf6-4823-98e2-b1752bee0bf7
Query name: Secretsmanager Secret Without KMS
Platform: CloudFormation
Severity: Medium
Category: Encryption
CWE: 326
Risk score: 3.0
URL: Github

Description¶

AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - json file

Positive test num. 2 - yaml file

Positive test num. 3 - json file

/span>

{ "Resources": { "MySecret": { "Type": "AWS::SecretsManager::Secret", class="w">            "Properties": { "Description": "secret description" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:*", "Effect": "Allow", "Principal": { "AWS": "*" } } ] } } } } } /span>Resources: MySecret: Type: 'AWS::SecretsManager::Secret' class="w">      Properties: Description: secret description MySecretResourcePolicy: Type: 'AWS::SecretsManager::ResourcePolicy' Properties: SecretId: !Ref MySecret ResourcePolicy: Version: 2012-10-17 Statement: - Resource: '*' Action: 'secretsmanager:*' Effect: Allow Principal: AWS: '*' /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MySecretB": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Name": "MySecretForAppB", class="w">        "KmsKeyId" : "", "Description": "This secret has a hardcoded password in SecretString (use GenerateSecretString instead)", "SecretString": "{\"username\":\"MasterUsername\",\"password\":\"secret-password\"}", "Tags": [ { "Key": "AppName", "Value": "AppB" } ] } } } }
Positive test num. 4 - yaml file

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  MySecretB:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: MySecretForAppB
      KmsKeyId: ''
      Description: This secret has a hardcoded password in SecretString (use GenerateSecretString
        instead)
      SecretString: '{"username":"MasterUsername","password":"secret-password"}'
      Tags:
        - Key: AppName
          Value: AppB



Code samples without security vulnerabilities¶
Negative test num. 1 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyCMK": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Name": "test",
        "KmsKeyId": "test-key"
      }
    }
  }
}

Negative test num. 2 - yaml fileAWSTemplateFormatVersion: "2010-09-09"
Resources: 
  MyCMK:
    Type: AWS::SecretsManager::Secret
    Properties: 
      Name: test
      KmsKeyId: test-key