#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#    SECRETSMANAGER_USING_CMK
#
# Description:
#   Checks if all secrets in AWS Secrets Manager are encrypted using a customer managed key that was created in AWS Key Management Service (AWS KMS).
#
# Reports on:
#    AWS::SecretsManager::Secret
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no Secrets Manager Secret resources
# b) PASS: when all Secrets Manager Secrets have an associated customer managed CMK
# c) FAIL: when any Secrets Manager Secrets is missing an associated customer managed CMK
# d) SKIP: when metada has rule suppression for SECRETSMANAGER_USING_CMK

#
# Select all AWS::SageMaker::EndpointConfig resources from incoming template (payload)
#
let aws_secretsmanager_secret_cmk = Resources.*[ Type == "AWS::SecretsManager::Secret"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "SECRETSMANAGER_USING_CMK"
]



rule SECRETSMANAGER_USING_CMK when %aws_secretsmanager_secret_cmk !empty {
  %aws_secretsmanager_secret_cmk.Properties.KmsKeyId exists
  %aws_secretsmanager_secret_cmk.Properties.KmsKeyId not in ["alias/aws/secretsmanager"]
  <<
    Violation: AWS Secrets Manager secrets are encrypted using an AWS KMS customer managed key
    Fix: Set the KmsKeyId property
  >>
}