secretsmanager-using-cmk
Checks if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager
)
or a customer managed key that you created in AWS Key Management Service (AWS KMS). This rule is COMPLIANT if a secret is encrypted using a customer managed key.
This rule is NON_COMPLIANT if a secret is encrypted using aws/secretsmanager
.
Identifier: SECRETSMANAGER_USING_CMK
Trigger type: Configuration changes
AWS Region: All supported AWS regions except China (Beijing), China (Ningxia), AWS GovCloud (US-East), AWS GovCloud (US-West), Asia Pacific (Jakarta), Asia Pacific (Osaka) Region
Parameters:
- kmsKeyArns (Optional)
- Type: CSV
-
Comma-separated list of KMS key Amazon Resource Names (ARNs) to check if the keys are used in the encryption.
AWS CloudFormation template
To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.