Control: Secrets Manager secrets should be encrypted using CMK
Description
Ensure that all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is non-compliant if a secret is encrypted using aws/secretsmanager.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.secretsmanager_secret_encrypted_with_kms_cmkSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.secretsmanager_secret_encrypted_with_kms_cmk --shareSQL
This control uses a named query:
with encryption_keys as ( select distinct s.arn, k.aliases as alias from aws_secretsmanager_secret as s left join aws_kms_key as k on k.arn = s.kms_key_id where jsonb_array_length(k.aliases) > 0)select s.arn as resource, case when kms_key_id is null or kms_key_id = 'alias/aws/secretsmanager' or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'alarm' else 'ok' end as status, case when kms_key_id is null then title || ' not encrypted with KMS.' when kms_key_id = 'alias/aws/secretsmanager' or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' then title || ' encrypted with AWS managed key.' else title || ' encrypted with CMK.' end as reason , region, account_idfrom aws_secretsmanager_secret as s left join encryption_keys as k on s.arn = k.arn;