# secretsmanager-using-cmk
<a name="secretsmanager-using-cmk"></a>

Checks if all secrets in Amazon Secrets Manager are encrypted using the Amazon managed key (`aws/secretsmanager`) or a customer managed key that was created in Amazon Key Management Service (Amazon KMS). The rule is COMPLIANT if a secret is encrypted using a customer managed key. This rule is NON\_COMPLIANT if a secret is encrypted using `aws/secretsmanager`. 

**Note**  
This rule does not have access to cross-account customer managed keys and evaluates secrets as NON\_COMPLIANT when a cross-account key is used.

**Identifier:** SECRETSMANAGER\_USING\_CMK

**Resource Types:** AWS::SecretsManager::Secret

**Trigger type:** Configuration changes

**Amazon Web Services Region:** All supported Amazon regions

**Parameters:**

kmsKeyArns (Optional)Type: CSV  
Comma-separated list of KMS key Amazon Resource Names (ARNs) to check if the keys are used in the encryption.

## Amazon CloudFormation template
<a name="w2aac20c16c17b7e1495c19"></a>

To create Amazon Config managed rules with Amazon CloudFormation templates, see [Creating Amazon Config Managed Rules With Amazon CloudFormation Templates](aws-config-managed-rules-cloudformation-templates.md).