Secrets Manager should use customer managed keys
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ssm |
| Provider | AWS |
Description#
Secrets in AWS Secrets Manager are being encrypted using the default AWS-managed key instead of a customer managed key. This limits control over key rotation, access permissions, and auditability of secret encryption.
Impact#
Relying on AWS-managed keys reduces the ability to enforce strict access controls and monitor key usage. In the event of a compromise, it may be harder to revoke access, investigate incidents, or meet compliance requirements, potentially exposing sensitive secrets.
Resolution#
Use customer managed keys