Rule: Secrets Manager secrets should be encrypted using CMK
This rule ensures that all Secrets Manager secrets are encrypted using CMK for added security.
| Rule | Secrets Manager secrets should be encrypted using CMK |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
According to the NIST 800-53 Revision 5 security guidelines, Secrets Manager secrets must be encrypted using a Customer Master Key (CMK). This ensures that sensitive information stored in Secrets Manager remains protected and inaccessible to unauthorized individuals or entities.
Troubleshooting Steps (if applicable)
If you encounter any issues related to encrypting Secrets Manager secrets using a CMK, follow the troubleshooting steps below:
- 1.
Check IAM policies: Ensure that the AWS Identity and Access Management (IAM) policies assigned to the user or role attempting to encrypt the secrets have the necessary permissions to use and access CMKs.
- 2.
Verify CMK permissions: Confirm that the CMK used for encrypting Secrets Manager secrets has the appropriate key policies allowing the necessary actions (e.g., Encrypt, Decrypt) for the intended users or roles.
- 3.
Check the AWS KMS region: Ensure that Secrets Manager and the CMK used for encryption are within the same AWS Key Management Service (KMS) region. Secrets Manager and CMKs must exist in the same region for successful encryption.
Necessary Codes (if applicable)
No specific codes are required for this rule. However, you need to ensure that you have a CMK created and available to use for encrypting Secrets Manager secrets. Additionally, the user or role attempting to encrypt the secrets must have the necessary permissions to interact with the CMK.
Step-by-Step Guide for Remediation
To comply with the rule of encrypting Secrets Manager secrets using a CMK as per NIST 800-53 Revision 5, follow the step-by-step guide below:
- 1.
Create or identify an existing CMK: In the AWS Management Console, navigate to the AWS Key Management Service (KMS) dashboard. Create a new CMK if one doesn't exist or identify an existing CMK that you want to use for encrypting Secrets Manager secrets.
- 2.
Set appropriate CMK key policies: Ensure that the CMK's key policies grant the necessary permissions for the intended users or roles. These policies should include the
andkms:Encrypt
actions to allow encryption and decryption of Secrets Manager secrets.kms:Decrypt - 3.
Assign IAM policies: Configure the IAM policies for users or roles that will be interacting with Secrets Manager and CMKs. Grant the necessary permissions to these entities, specifically allowing them to perform the
andsecretsmanager:CreateSecret
actions using the specified CMK.secretsmanager:PutSecretValue - 4.
Encrypt Secrets Manager secrets: Using the AWS Management Console, AWS CLI, or SDK, encrypt the existing Secrets Manager secrets or any new secrets created in the future. Ensure that you specify the CMK to be used for encryption during the encryption process.
- 5.
Verify encryption: After encrypting the secrets, validate that they are now stored in Secrets Manager with the desired CMK encryption. You can check this by accessing the Secrets Manager secret and reviewing the encryption details.
By following the steps outlined above, you can successfully encrypt Secrets Manager secrets using a CMK in compliance with the NIST 800-53 Revision 5 security guidelines.