secretsmanager-using-cmk - Amazon Config
Amazon CloudFormation template
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

secretsmanager-using-cmk

Checks if all secrets in Amazon Secrets Manager are encrypted using the Amazon managed key (aws/secretsmanager) or a customer managed key that was created in Amazon Key Management Service (Amazon KMS). The rule is COMPLIANT if a secret is encrypted using a customer managed key. This rule is NON_COMPLIANT if a secret is encrypted using aws/secretsmanager.

Note

This rule does not have access to cross-account customer managed keys and evaluates secrets as NON_COMPLIANT when a cross-account key is used.

Identifier: SECRETSMANAGER_USING_CMK

Resource Types: AWS::SecretsManager::Secret

Trigger type: Configuration changes

Amazon Web Services Region: All supported Amazon regions except Asia Pacific (Taipei) Region

Parameters:

kmsKeyArns (Optional)
Type: CSV

Comma-separated list of KMS key Amazon Resource Names (ARNs) to check if the keys are used in the encryption.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.