Skip to content

Secrets Manager secret is not encrypted using KMS Customer Managed Key (CMK)

Description

By default, secrets manager secrets are encrypted using the AWS-managed key aws/secretsmanager. It is best practice to explicitly provide a customer managed key to use instead.

Fix - Buildtime

Terraform

  • Resource: aws_secretsmanager_secret
  • Argument: kms_key_id

go aws_s3_bucket.test.tf resource "aws_secretsmanager_secret" "enabled" { ... + kms_key_id = var.kms_key_id }