Ensure that Secrets Manager secret is encrypted using KMS CMK

Error: Secrets Manager secret is not encrypted using KMS CMK

Bridgecrew Policy ID: BC_AWS_GENERAL_79
Checkov Check ID: CKV_AWS_149
Severity: MEDIUM

Secrets Manager secret is not encrypted using KMS Customer Managed Key (CMK)

Description

By default, secrets manager secrets are encrypted using the AWS-managed key aws/secretsmanager. It is best practice to explicitly provide a customer managed key to use instead.

Fix - Buildtime

Terraform

  • Resource: aws_secretsmanager_secret
  • Argument: kms_key_id
resource "aws_secretsmanager_secret" "enabled" {
   ...
 + kms_key_id = var.kms_key_id
}