This rule ensures that Secrets Manager secrets are encrypted using CMK for enhanced security.
Rule | Secrets Manager secrets should be encrypted using CMK |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
This rule enforces that all secrets stored in Secrets Manager should be encrypted using a Customer Master Key (CMK) that complies with the encryption standards set by NIST 800-53 Revision 5. Secrets Manager is a service provided by AWS that allows you to securely store and manage sensitive information such as database passwords, API keys, and other credentials.
Troubleshooting Steps (if applicable):
If this rule is not being followed, it indicates that secrets in Secrets Manager are not adequately protected using encryption standards defined by NIST 800-53 Revision 5. To troubleshoot and remediate this issue, follow the steps below:
Review Secrets Manager Secret Encryption Settings:
Create a Customer Managed CMK (if required):
Associate the Customer Managed CMK with the Secret:
Validate Encryption Compliance:
Replaceaws secretsmanager describe-secret --secret-id [SECRET-ID]
[SECRET-ID]
with the actual ID or ARN (Amazon Resource Name) of the secret.Necessary Codes (if applicable):
No specific code samples are required for this rule since it revolves around configuring Secrets Manager and KMS settings using the AWS Management Console and CLI commands.
Remediation Steps:
Follow the step-by-step guide below to remediate the issue and ensure secrets stored in Secrets Manager are encrypted using a CMK compliant with NIST 800-53 Revision 5:
Create a Customer Managed CMK (if required):
Associate the Customer Managed CMK with the Secret:
Validate Encryption Compliance:
Replaceaws secretsmanager describe-secret --secret-id [SECRET-ID]
[SECRET-ID]
with the actual ID or ARN (Amazon Resource Name) of the secret.By following these steps, you will successfully enforce the encryption of Secrets Manager secrets using a Customer Master Key (CMK) that aligns with the encryption standards defined by NIST 800-53 Revision 5.