Ensure Secret Manager secret is encrypted using KMS

Error: Unencrypted Secret Manager secret

Bridgecrew Policy ID: BC_AWS_GENERAL_58
Checkov Check ID: CKV_AWS_152
Severity: LOW

Unencrypted Secret Manager secret


The Secret Manager service allows you to securely store and manage secrets, such as API keys and passwords, in a central location. By default, secrets stored in Secret Manager are encrypted at rest using Google's Key Management Service (KMS).
Encrypting your CodeBuild projects helps to protect the data stored in them from unauthorized access. This is especially important if your projects contain sensitive information such as passwords or proprietary data.

Fix - Buildtime


  • Resource: aws_secretsmanager_secret
  • Argument: kms_key_id
resource "aws_secretsmanager_secret" "example" {
              name = "example"
 +            kms_key_id = "arn:kuku:kisi"