Rule: Secrets Manager Secrets Should Have Automatic Rotation Enabled
This rule ensures that Secrets Manager secrets have automatic rotation enabled to enhance security measures.
| Rule | Secrets Manager secrets should have automatic rotation enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
The Secrets Manager service in AWS provides a secure and scalable solution to manage secrets such as database credentials, API keys, and other sensitive information. The rule enforces the automatic rotation of secrets within Secrets Manager, which is recommended as per AWS Foundational Security Best Practices.
Troubleshooting Steps (if applicable):
If automatic rotation is not enabled for Secrets Manager secrets, follow these troubleshooting steps:
- 1.Verify that Secrets Manager is being used to store secrets and that the rotation capability is required for the specific secrets.
- 2.Check if the rotation schedule is configured correctly. Secrets Manager allows you to define a rotation schedule based on time or custom Lambda functions.
- 3.Ensure that the appropriate IAM policies and permissions are assigned to the rotation function and the associated resources.
- 4.Check for any errors or exceptions in the rotation function's CloudWatch Logs.
- 5.Validate that rotation is successfully completing and that the newly rotated secret is being correctly propagated to the associated services and applications.
- 6.If there are any specific failure points identified during the rotation process, address them by modifying the rotation function or the associated configurations.
Necessary Codes (if applicable):
There are no specific codes provided for this rule. The rotation capability is configured through the Secrets Manager console or API.
Step-by-Step Guide for Remediation:
Follow these steps to enable automatic rotation for Secrets Manager secrets:
- 1.
Open the AWS Management Console and navigate to the Secrets Manager service.
- 2.
Identify the secret that needs automatic rotation and select it from the list.
- 3.
In the secret's details page, click on the "Rotation" tab.
- 4.
Click the "Edit rotation" button.
- 5.
Select the "Enable automatic rotation" checkbox.
- 6.
Choose the rotation schedule based on your requirements. You can select a predefined time-based rotation or create a custom Lambda rotation function.
- 7.
Provide the necessary configuration details for the selected rotation option, such as Lambda function ARN, rotation period, and permissions.
- 8.
Click "Save" to enable automatic rotation for the secret.
- 9.
Validate the rotation by monitoring the "Rotation status" in the secret's details page.
- 10.
Ensure that applications or services using the secret are updated with the newly rotated credentials.
By following these steps, you will have successfully enabled the automatic rotation of Secrets Manager secrets, aligning with AWS Foundational Security Best Practices.