AWS Secrets Manager Secrets Encrypted with Amazon KMS CMKs


Amazon Secrets Manager is a service that helps centrally manage sensitive information such as database credentials, API keys, OAuth tokens, and more. By default, Secrets Manager encrypts these secrets using the service's default AWS managed KMS key. However, for additional control and auditability, it's recommended to use customer-managed KMS Customer Master Keys (CMKs) to encrypt these secrets. This ensures that you have full control over the cryptographic operations and access to the keys used for encrypting and decrypting the secrets.


1. Encrypt Secrets Manager Secrets using KMS CMKs:

AWS Management Console:
  • Navigate to the KMS service in the AWS Console.

  • Click on Create key and follow the key creation process to create a CMK.

  • Note down the ARN or alias of the created CMK.

  • Navigate to the Secrets Manager service.

  • When creating a new secret or updating an existing one, under the Encryption key section, select the CMK you created instead of the default AWS managed key.


First, create a KMS CMK:

aws kms create-key --description "Secrets Manager Encryption Key"

Get the ARN from the output.

When creating a secret in Secrets Manager with a specific KMS key:

aws secretsmanager create-secret --name YOUR_SECRET_NAME --secret-string 'YOUR_SECRET_VALUE' --kms-key-id YOUR_CMK_ARN

Replace placeholders (YOUR_SECRET_NAME, YOUR_SECRET_VALUE, and YOUR_CMK_ARN) with appropriate values.


If you're using Terraform:

resource "aws_kms_key" "secrets_encryption" {
  description = "Secrets Manager Encryption Key"

resource "aws_secretsmanager_secret" "example" {
  name        = "YOUR_SECRET_NAME"
  kms_key_id  = aws_kms_key.secrets_encryption.arn
  # ... other configurations ...

Replace the placeholder YOUR_SECRET_NAME with the desired secret name.


For enhanced security and control over your sensitive data, always consider using customer-managed KMS keys to encrypt secrets in Secrets Manager. Using customer-managed CMKs provides additional features such as key rotation, detailed audit via AWS CloudTrail, and fine-grained access control through KMS key policies. Regularly review the access to your KMS keys and rotate them as part of your security best practices. By integrating Secrets Manager with KMS, you ensure that sensitive information like API keys, database credentials, and other secrets are stored securely and are only accessible by authorized entities.