Rule: Secrets Manager Secrets Encrypted with CMK
This rule ensures that Secrets Manager secrets are encrypted using CMK for enhanced security.
| Rule | Secrets Manager secrets should be encrypted using CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
This rule enforces that all secrets stored in Secrets Manager should be encrypted using a Customer Master Key (CMK) that complies with the encryption standards set by NIST 800-53 Revision 5. Secrets Manager is a service provided by AWS that allows you to securely store and manage sensitive information such as database passwords, API keys, and other credentials.
Troubleshooting Steps (if applicable):
If this rule is not being followed, it indicates that secrets in Secrets Manager are not adequately protected using encryption standards defined by NIST 800-53 Revision 5. To troubleshoot and remediate this issue, follow the steps below:
- 1.
Review Secrets Manager Secret Encryption Settings:
- Open the AWS Management Console and navigate to the Secrets Manager service.
- Click on the secret that needs to be checked for encryption.
- Under the "Secret details" section, verify the encryption type used. It should be set to "Customer managed CMK" rather than "AWS managed CMK" or "Default encryption key."
- 2.
Create a Customer Managed CMK (if required):
- If the secret is not encrypted using a customer managed CMK, you need to create one.
- Open the AWS Management Console and navigate to the AWS Key Management Service (KMS) service.
- Click on "Customer managed keys" and then click on the "Create key" button.
- Follow the prompts to set up the CMK, providing a description and selecting the appropriate key administrators and key users.
- Save the CMK's key ID for the next step.
- 3.
Associate the Customer Managed CMK with the Secret:
- Go back to the Secrets Manager service in the AWS Management Console.
- Click on the secret that needs to be associated with the CMK.
- Under the "Encryption key" section, click on "Edit" and choose the customer managed CMK created in the previous step.
- Save the changes, ensuring that the secret is now using the desired CMK for encryption.
- 4.
Validate Encryption Compliance:
- Verify that the secret is now successfully encrypted using the customer managed CMK.
- You can also use the AWS Command Line Interface (CLI) to retrieve detailed information about the secret's encryption status:
Replaceaws secretsmanager describe-secret --secret-id [SECRET-ID]
with the actual ID or ARN (Amazon Resource Name) of the secret.[SECRET-ID]
Necessary Codes (if applicable):
No specific code samples are required for this rule since it revolves around configuring Secrets Manager and KMS settings using the AWS Management Console and CLI commands.
Remediation Steps:
Follow the step-by-step guide below to remediate the issue and ensure secrets stored in Secrets Manager are encrypted using a CMK compliant with NIST 800-53 Revision 5:
- 1.
Create a Customer Managed CMK (if required):
- Open the AWS Management Console and navigate to the AWS Key Management Service (KMS) service.
- Click on "Customer managed keys" and then click on the "Create key" button.
- Follow the prompts to set up the CMK, providing a description and selecting the appropriate key administrators and key users.
- Save the CMK's key ID for the next step.
- 2.
Associate the Customer Managed CMK with the Secret:
- Open the AWS Management Console and navigate to the Secrets Manager service.
- Click on the secret that needs to be associated with the CMK.
- Under the "Encryption key" section, click on "Edit" and choose the customer managed CMK created in the previous step.
- Save the changes, ensuring that the secret is now using the desired CMK for encryption.
- 3.
Validate Encryption Compliance:
- Verify that the secret is now successfully encrypted using the customer managed CMK.
- You can also use the AWS Command Line Interface (CLI) to retrieve detailed information about the secret's encryption status:
Replaceaws secretsmanager describe-secret --secret-id [SECRET-ID]
with the actual ID or ARN (Amazon Resource Name) of the secret.[SECRET-ID]
By following these steps, you will successfully enforce the encryption of Secrets Manager secrets using a Customer Master Key (CMK) that aligns with the encryption standards defined by NIST 800-53 Revision 5.