secret-use-customer-key
Default Severity: low
Explanation
Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK's should be used explicitly.
Possible Impact
Using AWS managed keys reduces the flexibility and control over the encryption key
Suggested Resolution
Use customer managed keys
Insecure Example
The following example will fail the aws-ssm-secret-use-customer-key check.
resource "aws_secretsmanager_secret" "bad_example" {
name = "lambda_password"
}
Secure Example
The following example will pass the aws-ssm-secret-use-customer-key check.
resource "aws_kms_key" "secrets" {
enable_key_rotation = true
}
resource "aws_secretsmanager_secret" "good_example" {
name = "lambda_password"
kms_key_id = aws_kms_key.secrets.arn
}