secret-use-customer-key
Explanation
Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK's should be used explicitly.
Possible Impact
Using AWS managed keys reduces the flexibility and control over the encryption key
Suggested Resolution
Use customer managed keys
Insecure Example
The following example will fail the AVD-AWS-0098 check.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of secret
Resources:
BadSecret:
Type: AWS::SecretsManager::Secret
Properties:
Description: "secret"
Name: "blah"
SecretString: "don't tell anyone"
Secure Example
The following example will pass the AVD-AWS-0098 check.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Good example of ingress rule
Resources:
Secret:
Type: AWS::SecretsManager::Secret
Properties:
Description: "secret"
KmsKeyId: "my-key-id"
Name: "blah"
SecretString: "don't tell anyone"