AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK)

Description

This policy ensures that AWS Secrets Manager secrets are encrypted using a customer-managed key (CMK) in AWS Key Management Service (KMS). Using a CMK provides additional control over the encryption keys used to protect your secrets, allowing you to manage key policies, rotation, and usage. This policy checks whether the `KmsKeyId` property is set to a value that does not contain the prefix `aws/` which indicates the use of the default AWS-managed key.

Code Example

resource "aws_secretsmanager_secret" "enabled" {
   ...
 + kms_key_id = var.kms_key_id
}

Remediation

Terraform

Resource: aws_secretsmanager_secret
Arguments: kms_key_id

Rule Details

Field	Value
ID	IAC-0199
Severity	LOW
IaC Type	Cloudformation
Frameworks	CloudFormation, Terraform, TerraformPlan, Serverless
Checkov ID	CKV_AWS_149

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK)

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK) ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK)

Description

Code Example

Remediation

Rule Details

References