Query: Secrets Manager secrets should be encrypted using CMK

Description

Ensure that all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is non-compliant if a secret is encrypted using aws/secretsmanager.

Query

Tables used in this query:

• aws_kms_key
• aws_secretsmanager_secret

Controls using this query:

• Secrets Manager secrets should be encrypted using CMK

SQL