By default, secrets manager secrets are encrypted using the AWS-managed key aws/secretsmanager. It is best practice to explicitly provide a customer managed key to use instead.