Have a way of encrypting in the yaml with kms_id

[jon-shanks]

would be good for secrets to be able to be encrypted with a defined kms_id and decrypted where necessary i.e.

kms_id: 'key id here'

dev:
some_secret: enc("BASE64 ENCODED SECRET")

So that we can hold specific things in the yaml i.e. root_rds_password or whatnot.

[vaijab]

That's definitely a good idea.

[cob16]

Given you want to use KMS to do this would it be better to use parameter store to store something like this?

If so you can get CF to resolve the secret from parameter store directly
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm