Secrets manager should specify KmsKeyId

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Secrets manager should specify KmsKeyId

Metadata

Id: cloudformation-aws-secrets-manager-should-specify-kms-key-id

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Secret Management

Learn More

Provider Reference

Description

Secrets stored in AWS Secrets Manager should explicitly specify a customer-managed KMS key to ensure you control key policies, enable audited key usage, and allow cross-account access when required.

For AWS::SecretsManager::Secret resources, Properties.KmsKeyId must be defined and should reference a customer-managed KMS key (key ARN, alias, or a Ref/GetAtt to an AWS::KMS::Key). Omitting KmsKeyId causes Secrets Manager to use the AWS-managed key, which does not support granting cross-account decrypt permissions. If you need to share secrets across accounts, ensure the referenced KMS key’s policy grants the necessary kms:Decrypt and kms:GenerateDataKey permissions to the target principals. Resources missing KmsKeyId will be flagged.

Secure configuration example:

MyKmsKey:
  Type: AWS::KMS::Key
  Properties:
    Description: KMS key for Secrets Manager

MySecret:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: my-secret
    KmsKeyId: !Ref MyKmsKey

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  SecretsManagerSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: String
      GenerateSecretString:
        GenerateSecretString
      KmsKeyId: String
      Name: String
      SecretString:
        String
      Tags:
        - Tag

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "SecretsManagerSecret": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Description": "String",
        "GenerateSecretString": "GenerateSecretString",
        "KmsKeyId": "String",
        "Name": "String",
        "SecretString": "String",
        "Tags": [
          "Tag"
        ]
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  SecretsManagerSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description: String
      GenerateSecretString:
        GenerateSecretString
      Name: String
      SecretString:
        String
      Tags:
        - Tag

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "SecretsManagerSecret": {
      "Type": "AWS::SecretsManager::Secret",
      "Properties": {
        "Name": "String",
        "SecretString": "String",
        "Tags": [
          "Tag"
        ],
        "Description": "String",
        "GenerateSecretString": "GenerateSecretString"
      }
    }
  }
}