AWS095 - Secrets Manager should use customer managed keys


Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK’s should be used explictly.

Insecure Example

The following example will fail the AWS095 check.

resource "aws_secretsmanager_secret" "bad_example" {
  name       = "lambda_password"

Secure Example

The following example will pass the AWS095 check.

resource "aws_kms_key" "secrets" {
	enable_key_rotation = true

resource "aws_secretsmanager_secret" "good_example" {
  name       = "lambda_password"
  kms_key_id = aws_kms_key.secrets.arn