Secretsmanager Secret Encrypted With AWS Managed Key

Query id: b0d3ef3f-845d-4b1b-83d6-63a5a380375f
Query name: Secretsmanager Secret Encrypted With AWS Managed Key
Platform: Terraform
Severity: Medium
Category: Encryption
URL: Github

Description¶

Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

resource "aws_secretsmanager_secret" "test2" {
  name       = "test-cloudrail-1"
  kms_key_id = "alias/aws/secretsmanager"
}

Positive test num. 2 - tf file

provider "aws" {
  region = "us-east-1"
}

data "aws_kms_key" "by_alias" {
  key_id = "alias/aws/secretsmanager"
}

resource "aws_secretsmanager_secret" "test" {
  name       = "test-cloudrail-1"
  kms_key_id = data.aws_kms_key.by_alias.arn
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_secretsmanager_secret" "test222" {
  name       = "test-cloudrail-1"
  kms_key_id = "alias/MyAlias"
}