[BUG] sra/macie_org_delivery_key_arn and sra/guardduty_org_delivery_key_arn should be in SSM not Secrets Manager

[lukenny]

Describe the bug

These ARNs should be in SSM Param Store not Secrets Manager. If it's in Secrets Manager it triggers this AWS config security control "SecretsManager.4 Secrets Manager secrets should be rotated within a specified number of days".

Control description: This Control checks whether an AWS Secrets Manager secret is rotated at least once within the specified time frame. The Control fails if a secret isn't rotated at least this frequently. Unless you provide a custom parameter value for the rotation period, Security Hub uses a default value of 90 days.

sra/macie_org_delivery_key_arn

sra/guardduty_org_delivery_key_arn

To Reproduce

Steps to reproduce the behavior:

N/A

Expected behavior

These ARNs are not secrets they should be in SSM param store.

arn:aws:kms:us-west-2::key/xxxxxxxx-1234-xxxx-xxxx-xxxxxxxxxxxx

Screenshots

N/A

Deployment Environment (please complete the following information)

N/A

Additional context

Add any other context about the problem here.

[boueya]

Hey @lukenny,
Thanks for bringing this to our attention.

While we do believe that an SSM parameter would serve as a better storage method for these KMS ARNs, the current infrastructure design for this package require us to share these ARNs across AWS accounts. This can be done with Advanced Tier SSM Parameters but there will be trade offs that we're not currently ready to make.

Our plan will be to add this task as a backlog item and revisit it as a part of a larger upcoming refactor to the SRA. In the meantime, since these Secrets only store ARNs and pose no security risk, we recommend that you suppress these Security Hub findings.