Description:
Secrets Manager uses envelope encryption with AWS KMS keys and data keys to protect each secret value. Whenever the secret value secret changes, Secrets Manager generates a new data key to protect it. The data key is encrypted under a KMS key and stored in the metadata of the secret. To decrypt the secret, Secrets Manager first decrypts the encrypted data key using the KMS key in AWS KMS.
Rationale:
Ensure that your Amazon Secrets Manager secrets (i.e. database credentials, API keys, OAuth tokens, etc) are encrypted with Amazon KMS Customer Master Keys (CMKs) instead of default encryption keys that the Secrets Manager service creates for you, to have more granular control over secret data encryption and decryption process, and meet compliance requirements.
Impact:
Secrets Manager uses Envelope encryption with AWS KMS keys and data keys to protect each secret value. Whenever the secret value secret changes, Secrets Manager generates a new data key to protect it. The data key is encrypted under a KMS key and stored in the metadata of the secret. To decrypt the secret, Secrets Manager first decrypts the encrypted data key using the KMS key in AWS KMS.
Default Value:
Secrets Manager encrypts all secrets by default using AWS Managed keys in your account.
Pre-Requisite:
The KMS key/(s) if customer-managed, must be present in the same region as the secret in AWS Secrets Manager.
Remediation:
Test plan:
Sign in to the AWS Management Console.
Navigate to the AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation panel, select Secrets.
Select the desired Secrets Manager secret and click on it to access the resource configuration details.
In the Details section you can see the encryption key encryption
Note: On the selected secret configuration page, within the Secret details section, check the Encryption key attribute value. If the configuration attribute value is set to DefaultEncryptionKey or aws/secretsmanager, the selected Amazon Secrets Manager secret is encrypted using the default encryption key that the AWS service created on your behalf.
Using AWS CLI
Run list-secrets command to list the names of all Secrets Manager secrets available in the selected AWS region
aws secretsmanager list-secrets
--region us-east-1
--query 'SecretList[*].Name'
This returns the names of the secrets available within the region:
Run the describe-secret command using the name of the secret that you want to examine as an identifier and custom query filters to return the ID of the AWS KMS Customer Master Key (CMK) used to encrypt the selected Secrets Manager secret information:
aws secretsmanager describe-secret --region us-east-1 --secret-id Nameofthesecret --query 'KmsKeyId'
This returns the requested resource ID:
Run describe-key command using the KMS key ID as identifier and custom query filters to describe the manager name i.e., either AWS or CUSTOMER of the encryption key used:
aws kms describe-key --region us-east-1 --key-id ResourceIDobtained --query 'KeyMetadata.KeyManager'
This returns the selected KMS key manager name.
If the value returned by the describe-key command output is "AWS", the encryption key manager is Amazon Web Services and not the AWS customer, therefore the selected Amazon Secrets Manager secret data is encrypted using the KMS default key (i.e. AWS-managed key) instead of using a customer-managed KMS CMK.
Implementation steps:
Sign in to the AWS Management Console.
Navigate to the AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation panel, select Secrets.
Select the desired secret and click on it to access the resource configuration details.
On the selected secret configuration page, within the Secret details section, click Actions.
Choose the Edit encryption key from the drop-down.
Click on the inverted arrow to view the list of available KMS keys.
Change the Encryption key attribute value to the desired KMS key(AWS Managed or Customer Managed)
Click on Save
Using AWS CLI
Creates a unique customer managed KMS key in your Amazon Web Services account and Region.
You can use the CreateKey
operation to create symmetric or asymmetric KMS keys by specifying in KeySpec
create-key [--policy <value>] [--description <value>] [--key-usage <value>] [--customer-master-key-spec <value>] [--key-spec <value>] [--origin <value>] [--custom-key-store-id <value>] [--bypass-policy-lockout-safety-check | --no-bypass-policy-lockout-safety-check] [--tags <value>] [--multi-region | --no-multi-region] [--cli-input-json <value>] [--generate-cli-skeleton <value>]
Example:
aws kms create-key \
--tags TagKey=Purpose,TagValue=Test \
--description "Development test key"
the CreateKey
command returns the key metadata.
adds or replaces the encryption key for this secret
aws secretsmanager update-secret --secret-id production/MyAwesomeAppSecret --kms-key-id arn:aws:kms:region:12digitaccountid:key/<keyid>
Backout Plan:
Secrets in AWS Secret Manager are encrypted by default using AWS Managed KMS keys.
We can only change the KMS key used to encrypt the secret but not delete the encryption on a secret.
Note:
Secrets Manager is a regional service
You cannot use the
CreateKey
operation to create a KMS key in a different Amazon Web Services account.Tagging or untagging a KMS key can allow or deny permission to the KMS key.
The
create-key
command does not let you specify an alias, To create an alias that points to the new CMK, uses thecreate-alias
command.When you change the encryption key, Secrets Manager re-encrypts versions of the secret that have the staging labels
AWSCURRENT
,AWSPENDING
, andAWSPREVIOUS
under the new encryption key.
Reference:
How AWS Secrets Manager uses AWS KMS - AWS Key Management Service
Secret encryption and decryption - AWS Secrets Manager