Rule: Secrets Manager secrets should be encrypted using CMK
This rule ensures that Secrets Manager secrets are encrypted using CMK.
| Rule | Secrets Manager secrets should be encrypted using CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule: Secrets Manager Secrets Encryption with CMK for NIST 800-53 Revision 5
Description
This rule ensures that all secrets stored in AWS Secrets Manager are encrypted using a Customer Master Key (CMK) that adheres to the encryption requirements specified in the NIST 800-53 Revision 5 security standard. The purpose of this rule is to enhance the security posture of secrets within the organization and protect sensitive information from unauthorized access.
Troubleshooting Steps
If secrets are not encrypted using CMK for NIST 800-53 Revision 5, follow the steps below to troubleshoot the issue:
- 1.
Verify permissions: Ensure that the IAM user or role attempting to encrypt the secret has the necessary permissions to use AWS KMS for key management operations.
- 2.
Check KMS key policy: Review the Key Management Service (KMS) key policy associated with the CMK being used for Secrets Manager encryption. Ensure that the policy allows the IAM user or role to perform the necessary encrypt and decrypt operations.
- 3.
Validate CMK configuration: Verify that the CMK is configured to comply with the encryption requirements specified in NIST 800-53 Revision 5. Ensure the CMK is using a strong cryptographic algorithm, appropriate key size, and secure key management practices.
Necessary Code
To remediate the issue and encrypt secrets with CMK for NIST 800-53 Revision 5, follow these steps:
- 1.
Create or identify an existing CMK in AWS Key Management Service (KMS) that adheres to the encryption requirements specified in NIST 800-53 Revision 5.
- 2.
Grant necessary permissions: Update the key policy of the CMK to allow the IAM users or roles that need to encrypt Secrets Manager secrets to perform encryption and decryption operations. Sample key policy statement to allow the Secrets Manager service to encrypt secrets:
{ "Sid": "Allow Secrets Manager to encrypt using the key", "Effect": "Allow", "Principal": { "Service": "secretsmanager.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": "*" }
- 1.Configure Secrets Manager encryption: Specify the CMK to be used for Secrets Manager secrets encryption. Update an existing secret or create a new secret in Secrets Manager with the following AWS CLI command:
aws secretsmanager update-secret --secret-id <secret-id> --encryption-key-id <cmk-id>
Replace
<secret-id><cmk-id>- 1.Validate encryption: Verify that the secret is now encrypted with the specified CMK by retrieving the secret and checking the EncryptionKeyID attribute using the AWS CLI command:
aws secretsmanager describe-secret --secret-id <secret-id>
Summary
Following this rule ensures that Secrets Manager secrets are encrypted using a CMK that complies with the encryption requirements specified in NIST 800-53 Revision 5. Troubleshooting steps and necessary codes provided above help in identifying and remediating any issues with secrets encryption. Compliance with this rule enhances the security posture of sensitive information stored in Secrets Manager.