Rule: Secrets Manager secrets should be encrypted using CMK
This rule ensures that all Secrets Manager secrets are encrypted using Customer Master Keys (CMK).
| Rule | Secrets Manager secrets should be encrypted using CMK |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
The rule/policy states that all secrets stored in AWS Secrets Manager should be encrypted using a Customer Master Key (CMK) that is compliant with the requirements of Good Practice (GxP) regulations and 21 CFR Part 11.
Troubleshooting Steps:
1. Verify Encryption Algorithm:
Make sure that the encryption algorithm used for encrypting the secrets in AWS Secrets Manager is compliant with GxP and 21 CFR Part 11 regulations. AES-256 encryption is recommended for this purpose.
2. Validate CMK Compliance:
Confirm that the CMK used for encryption in Secrets Manager is created with the appropriate security settings as per GxP and 21 CFR Part 11 requirements. Ensure that the CMK is compliant with the necessary regulations and has no key policy violations.
3. Check Encryption Status:
Verify the encryption status of the secrets in AWS Secrets Manager. Ensure that all secrets stored are encrypted with the CMK identified as compliant with GxP and 21 CFR Part 11.
4. Review Logging and Monitoring:
Regularly monitor AWS CloudTrail logs and Secret Manager API activity to ensure that there are no unauthorized attempts to access or modify the secrets. Create appropriate alarms and notifications for any security events related to secrets management.
Necessary Codes:
There are no specific codes required to comply with this rule/policy. However, the AWS Management Console or AWS CLI can be used for verification and remediation purposes.
Step-by-Step Guide for Remediation:
Follow the steps below to comply with the rule/policy:
1. Verify Encryption Algorithm:
Check the encryption algorithm used in Secrets Manager by following these steps:
- Open the AWS Management Console.
- Navigate to the AWS Secrets Manager dashboard.
- Select the secret you want to validate.
- Click on "Encryption" in the left-hand menu.
- Ensure that the selected encryption algorithm is AES-256.
2. Validate CMK Compliance:
Confirm the CMK compliance by performing the following steps:
- Open the AWS Management Console.
- Go to the AWS Key Management Service (KMS) dashboard.
- Select the CMK used for Secrets Manager encryption.
- Review the key policy and ensure that it complies with GxP and 21 CFR Part 11 regulations.
- Resolve any key policy violations if found.
3. Check Encryption Status:
Verify the encryption status of the secrets in Secrets Manager:
- Open the AWS Management Console.
- Navigate to the AWS Secrets Manager dashboard.
- Select the secret you want to check.
- Confirm that the encryption status is enabled.
- Ensure that the correct CMK is being used for encryption.
4. Review Logging and Monitoring:
Set up appropriate logging and monitoring by following these steps:
- Enable AWS CloudTrail for the AWS account if not already enabled.
- Configure CloudTrail to log all Secrets Manager API activity.
- Create custom CloudWatch alarms for detecting any suspicious activities or unauthorized access attempts related to secrets management.
- Set up notifications to alert relevant teams in case of security events.
By following these steps, you will ensure that secrets stored in AWS Secrets Manager are encrypted using a CMK compliant with GxP and 21 CFR Part 11 regulations. Additionally, you will have proper logging and monitoring in place to detect and respond to any security-related incidents.