Secrets Manager secrets should be encrypted using CMK

2. 1.

   Invalid encryption key: Verify that the CMK being used for encrypting the Secrets Manager secrets is compliant with NIST 800-53 Revision 5. If not, create a new CMK or update the existing CMK to meet the required standards.

4. 2.

   Misconfigured access permissions: Ensure that the IAM policies and roles associated with the CMK have appropriate access permissions to encrypt and decrypt the secrets stored in AWS Secrets Manager.

6. 3.

   Secrets not encrypted: Check whether there are any secrets in AWS Secrets Manager that are not encrypted using a CMK. Encrypt these secrets using a CMK that complies with NIST 800-53 Revision 5.

2. 1.
   Create a CMK:

aws kms create-key --description "CMK for NIST 800-53 Revision 5" --key-usage ENCRYPT_DECRYPT

2. 1.
   Update an existing CMK policy:

aws kms put-key-policy --key-id <key-id> --policy-name default --policy '{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<IAM User ARN>"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}'

<key-id>

<IAM User ARN>

2. 1.
   Encrypt a secret using a CMK:

aws secretsmanager update-secret --secret-id <secret-id> --kms-key-id <key-id>

<secret-id>

<key-id>

2. 1.

   Identify the secrets that are not encrypted using a CMK that complies with NIST 800-53 Revision 5.

4. 2.

   Create or update a CMK to meet the encryption standards defined in NIST 800-53 Revision 5.

6. 3.

   Update the CMK policy to grant appropriate access permissions to IAM users or roles.

8. 4.

   Encrypt the non-compliant secrets using the CMK that meets the required standards.

10. 5.

    Regularly monitor and audit the encryption status of secrets in AWS Secrets Manager to ensure ongoing compliance with the rule.