Skip to content

Secrets Manager secret is not encrypted using KMS Customer Managed Key (CMK)

Description

By default, secrets manager secrets are encrypted using the AWS-managed key aws/secretsmanager. It is best practice to explicitly provide a customer managed key to use instead.

Fix - Buildtime

Terraform

  • Resource: aws_secretsmanager_secret
  • Argument: kms_key_id
resource "aws_secretsmanager_secret" "enabled" {
   ...
 + kms_key_id = var.kms_key_id
}