Secret Encrypted With KMS Customer Master Keys

Risk level: High (not acceptable risk)

Rule ID: SecretsManager-001

Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that Secrets Manager service creates for you, in order to have a more granular control over secret data encryption and decryption process, and meet compliance requirements.

This rule can help you with the following compliance standards:

General Data Protection Regulation (GDPR)
APRA
MAS
NIST 800-53 (Rev. 4)

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

By default, your secret information is encrypted using the default encryption key that Secrets Manager creates on your behalf. But when you use your own Amazon KMS Customer Master Key (CMK) to protect the secret data managed by AWS Secrets Manager service, you get full control over who can use the encryption key to access your secrets. Amazon Key Management Service (KMS) allows you to easily create, rotate, disable and audit Customer Master Keys created for your Secrets Manager secrets.

Note: When using customer-managed CMKs to encrypt Secrets Manager secret data, the IAM user or role that needs to read the secret later must have the "kms:Decrypt" permission for that KMS CMK.

Audit

To determine the encryption status and configuration for your Amazon Secrets Manager secrets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Choose the Secrets Manager secret that you want to examine, then click on its name (link) to access the resource configuration details.

05 On the selected secret configuration page, within the Secret details section, check the Encryption key attribute value. If the configuration attribute value is set to DefaultEncryptionKey or aws/secretsmanager, the selected Amazon Secrets Manager secret is encrypted using the default encryption key that AWS service created on your behalf.

06 Repeat step no. 4 and 5 for each Secrets Manager secret available in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets available in the selected AWS region (US East - N. Virginia):

aws secretsmanager list-secrets
	--region us-east-1
	--query 'SecretList[*].Name'

02 The command output should return the names of the secrets available within the region:

[
    "cc-prod-db-credentials",
    "cc-project5-credentials",
    "cc-backend-api-access"
]

03 Run describe-secret command (OSX/Linux/UNIX) using the name of the secret that you want to examine as identifier and custom query filters to return the ID of the AWS KMS Customer Master Key (CMK) used to encrypt the selected Secrets Manager secret information:

aws secretsmanager describe-secret
	--region us-east-1
	--secret-id cc-prod-db-credentials
	--query 'KmsKeyId'

04 The command output should return the requested resource ID:

"abcdabcd-1234-1234-1234-abcdabcdabcd"

05 Run describe-key command (OSX/Linux/UNIX) using the KMS key ID returned at the previous step as identifier and custom query filters to describe the manager name (either "AWS" or "CUSTOMER") of the encryption key used:

aws kms describe-key
	--region us-east-1
	--key-id abcdabcd-1234-1234-1234-abcdabcdabcd
	--query 'KeyMetadata.KeyManager'

06 The command output should return the selected KMS key manager name:

"AWS"

If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon Secrets Manager secret data is encrypted using the KMS default key (i.e. AWS-managed key) instead of using a customer-managed KMS CMK.

07 Repeat steps no. 3 – 6 for each Secrets Manager secret available within the selected AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire process for other regions.

Remediation / Resolution

To configure existing Amazon Secrets Manager secrets to encrypt their data using customer-managed KMS Customer Master Keys (CMKs), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel click Encryption Keys.

04 Select the appropriate AWS region from the Filter menu (must match the region where the secret that you want to encrypt with the new key was created).

05 Click Create Key button from the dashboard top menu.

06 In the Alias (required) and Description fields, enter a unique name (alias) and a description for the new CMK, then click the Next Step button.

07 Under Key Administrators section, select which IAM users and/or roles can administer the new CMK, then click Next Step.

08 Under This Account section, select which IAM users and/or roles can use the new CMK to encrypt/decrypt the secret data with the AWS KMS API.

09 (Optional) Under External Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt the Secrets Manager secret information. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users.

10 Click Next Step to continue the process.

11 Under Preview Key Policy section, review the key policy generated by AWS then click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: "Your master key was created successfully. Alias: <cmk-alias>".

12 Once the customer-managed CMK has been created, navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.

13 In the navigation panel, select Secrets.

14 Choose the Secrets Manager secret that you want to reconfigure, then click on its name (link) to access its configuration details.

15 On the selected secret configuration page, click the Actions dropdown menu from the dashboard top menu and select Edit encryption key option.

16 In the Edit encryption key dialog box, choose the name (alias) of the customer-managed KMS Customer Master Key created earlier from the Select the encryption key dropdown list, then click Save to apply the changes.

17 Repeat steps no. 14 – 16 for each Secrets Manager secret that you want to encrypt using your new KMS CMK, available in the current AWS region.

18 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Define the required IAM policy that enables the selected IAM users and/or roles to administer the new customer-managed CMK and to encrypt/decrypt AWS Secrets Manager data using the KMS API. Create a new policy document, name it secrets-cmk-iam-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs of the IAM users and/or roles, with your own IAM details):

{
  "Version": "2012-10-17",
  "Id": "aws-secrets-manager-cmk-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Grant access to CMK manager",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cc-secrets-manager"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow the use of the CMK",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-secrets-admin"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/cc-secrets-admin"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. secrets-cmk-iam-policy.json) as command parameter to create the new Amazon KMS CMK:

aws kms create-key
	--region us-east-1
	--description 'Customer-managed CMK for AWS Secrets Manager secrets'
	--policy file://secrets-cmk-iam-policy.json

03 The command output should return the new KMS CMK metadata. Copy the CMK Amazon Resource Name (Arn parameter value – highlighted) as this ID will be required later when you have to specify the key required for AWS Secrets Manager data encryption:

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "abcd1234-1234-abcd-1234-abcd1234abcd",
        "Description": "Customer-managed CMK for AWS Secrets Manager secrets",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1517238743.120,
        "Arn": "arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd",
        "AWSAccountId": "123456789012"
    }
}

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):

aws kms create-alias
	--region us-east-1
	--alias-name alias/secrets-manager-data-cmk
	--target-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd

05 Run update-secret command (OSX/Linux/UNIX) using the name of the Amazon Secrets Manager secret that you want to reconfigure as identifier (see Audit section part II to identify the right resource) and the ARN of the KMS Customer Master Key (CMK) created earlier as parameter, to update the configuration of the selected secret with the specified KMS key:

aws secretsmanager update-secret
	--region us-east-1
	--secret-id cc-prod-db-credentials
	--kms-key-id arn:aws:kms:us-east-1:123456789012:key/12345678-abcd-1234-abcd-12345678abcd

06 The command output should return the reconfigured AWS Secrets Manager secret metadata:

{
    "Name": "cc-prod-db-credentials",
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-prod-db-credentials-ABC123"
}

07 Repeat steps no. 5 and 6 for each Amazon Secrets Manager secret that you want to encrypt using your custom KMS CMK, available in the selected AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

AWS Command Line Interface (CLI) Documentation
secretsmanager
list-secrets
describe-secret
update-secret
kms
describe-key
create-key
create-alias

Publication date Dec 18, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Secret Encrypted With KMS Customer Master Keys

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related SecretsManager rules