Cloud Defense Logo

Products

Solutions

Company

Rule: Secrets Manager Secrets Encrypted with CMK

This rule ensures that Secrets Manager secrets are encrypted using CMK for enhanced security.

RuleSecrets Manager secrets should be encrypted using CMK
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

This rule enforces that all secrets stored in Secrets Manager should be encrypted using a Customer Master Key (CMK) that complies with the encryption standards set by NIST 800-53 Revision 5. Secrets Manager is a service provided by AWS that allows you to securely store and manage sensitive information such as database passwords, API keys, and other credentials.

Troubleshooting Steps (if applicable):

If this rule is not being followed, it indicates that secrets in Secrets Manager are not adequately protected using encryption standards defined by NIST 800-53 Revision 5. To troubleshoot and remediate this issue, follow the steps below:

  1. 1.

    Review Secrets Manager Secret Encryption Settings:

    • Open the AWS Management Console and navigate to the Secrets Manager service.
    • Click on the secret that needs to be checked for encryption.
    • Under the "Secret details" section, verify the encryption type used. It should be set to "Customer managed CMK" rather than "AWS managed CMK" or "Default encryption key."
  2. 2.

    Create a Customer Managed CMK (if required):

    • If the secret is not encrypted using a customer managed CMK, you need to create one.
    • Open the AWS Management Console and navigate to the AWS Key Management Service (KMS) service.
    • Click on "Customer managed keys" and then click on the "Create key" button.
    • Follow the prompts to set up the CMK, providing a description and selecting the appropriate key administrators and key users.
    • Save the CMK's key ID for the next step.
  3. 3.

    Associate the Customer Managed CMK with the Secret:

    • Go back to the Secrets Manager service in the AWS Management Console.
    • Click on the secret that needs to be associated with the CMK.
    • Under the "Encryption key" section, click on "Edit" and choose the customer managed CMK created in the previous step.
    • Save the changes, ensuring that the secret is now using the desired CMK for encryption.
  4. 4.

    Validate Encryption Compliance:

    • Verify that the secret is now successfully encrypted using the customer managed CMK.
    • You can also use the AWS Command Line Interface (CLI) to retrieve detailed information about the secret's encryption status:
      aws secretsmanager describe-secret --secret-id [SECRET-ID]
      
      Replace
      [SECRET-ID]
      with the actual ID or ARN (Amazon Resource Name) of the secret.

Necessary Codes (if applicable):

No specific code samples are required for this rule since it revolves around configuring Secrets Manager and KMS settings using the AWS Management Console and CLI commands.

Remediation Steps:

Follow the step-by-step guide below to remediate the issue and ensure secrets stored in Secrets Manager are encrypted using a CMK compliant with NIST 800-53 Revision 5:

  1. 1.

    Create a Customer Managed CMK (if required):

    • Open the AWS Management Console and navigate to the AWS Key Management Service (KMS) service.
    • Click on "Customer managed keys" and then click on the "Create key" button.
    • Follow the prompts to set up the CMK, providing a description and selecting the appropriate key administrators and key users.
    • Save the CMK's key ID for the next step.
  2. 2.

    Associate the Customer Managed CMK with the Secret:

    • Open the AWS Management Console and navigate to the Secrets Manager service.
    • Click on the secret that needs to be associated with the CMK.
    • Under the "Encryption key" section, click on "Edit" and choose the customer managed CMK created in the previous step.
    • Save the changes, ensuring that the secret is now using the desired CMK for encryption.
  3. 3.

    Validate Encryption Compliance:

    • Verify that the secret is now successfully encrypted using the customer managed CMK.
    • You can also use the AWS Command Line Interface (CLI) to retrieve detailed information about the secret's encryption status:
      aws secretsmanager describe-secret --secret-id [SECRET-ID]
      
      Replace
      [SECRET-ID]
      with the actual ID or ARN (Amazon Resource Name) of the secret.

By following these steps, you will successfully enforce the encryption of Secrets Manager secrets using a Customer Master Key (CMK) that aligns with the encryption standards defined by NIST 800-53 Revision 5.

Is your System Free of Underlying Vulnerabilities?
Find Out Now