Ensure that AWS Secrets Manager service enforces data-at-rest encryption using KMS CMKs

Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret with a unique data key that is protected by an AWS KMS customer master key (CMK). This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the CMK and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

Risk Level: High
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.AWS.CRY.50
Category: Security, Identity, & Compliance


SecretManager should not have kmsKeyId isEmpty()


From console

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager
  2. From the list of secrets, choose your secret.
  3. On the secret details page, To update the encryption key, in the Secrets details section, choose Actions, and then choose Edit encryption key.
  4. Select the KMS key or aws/secretsmanager.

From Command Line

  1. Use the following CLI command to update the kms hey associated with the secret:
aws secretsmanager update-secret --secret-id MY_SECRET_ID --kms-key-id KMS_KEY_ID

From TF

resource "aws_secretsmanager_secret" "example" {
	name = "example"
	kms_key_id = "KMS_KEY_ID"


  1. https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/update-secret.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id

Amazon Secrets Manager

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0