Rule: Secrets Manager secrets with automatic rotation must rotate successfully
This rule ensures that Secrets Manager secrets configured for automatic rotation are rotating successfully.
| Rule | Secrets Manager secrets configured with automatic rotation should rotate successfully |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
AWS Foundational Security Best Practices - Rule Description
This rule ensures that AWS Secrets Manager secrets configured with automatic rotation successfully rotate, as recommended by AWS Foundational Security Best Practices. Secrets Manager is a service provided by AWS that helps you protect sensitive information such as API keys, database credentials, or any other type of secret.
Secrets Manager allows you to configure automatic rotation for your secrets. Automatic rotation ensures that the secret is periodically updated with a new value, reducing the risk of access by unauthorized individuals. This rule ensures that the automatic rotation process for Secrets Manager secrets is functioning properly.
Troubleshooting Steps
If you encounter issues with the automatic rotation of Secrets Manager secrets, follow these steps to troubleshoot:
- 1.
Check Secrets Manager Rotation Scheduler: Verify that the Secrets Manager rotation scheduler is enabled and properly configured. Ensure that the rotation interval and Lambda function associated with the rotation are correctly set up.
- 2.
Check Lambda Function: Review the associated Lambda function responsible for rotating the secret. Ensure that the IAM role associated with the Lambda function has the necessary permissions to rotate the secret. Verify the function's code logic and ensure there are no errors in the implementation.
- 3.
Verify Secret Configuration: Validate the configuration of the secret itself. Ensure that the secret is marked for automatic rotation and that the rotation configuration aligns with your desired rotation schedule.
- 4.
Inspect Logging and Monitoring: Enable CloudTrail logging for AWS Secrets Manager to capture rotation-related events. Review the CloudTrail logs to identify any potential errors or failures during the rotation process. Additionally, utilize Amazon CloudWatch Logs to monitor the rotation activity and identify any anomalies or issues.
Necessary Codes
In some cases, you may need to use the following codes to configure and troubleshoot the automatic rotation of Secrets Manager secrets:
Solution Code:
import boto3
def enable_secret_rotation(secret_name):
client = boto3.client("secretsmanager")
response = client.rotate_secret(SecretId=secret_name)
return response
secret_name = "your-secret-name"
response = enable_secret_rotation(secret_name)
print(response)
Explanation:
The code above uses the AWS SDK for Python (Boto3) to enable the rotation of a Secrets Manager secret specified by "secret_name". By calling the
rotate_secretStep-by-Step Guide for Remediation
To remediate any issues with the automatic rotation of Secrets Manager secrets, follow these steps:
- 1.
Verify Rotation Scheduler: Confirm that the Secrets Manager rotation scheduler is enabled and properly configured by accessing the AWS Management Console.
- Open the Secrets Manager console.
- Select "Secrets" from the left navigation pane.
- Choose the secret that requires rotation.
- Ensure that the "Rotation configuration" section is correctly set with the desired rotation options, including interval and rotation Lambda function.
- 2.
Validate IAM Role: Ensure that the IAM role associated with the rotation Lambda function has the necessary permissions to interact with Secrets Manager.
- Open the AWS Identity and Access Management (IAM) console.
- Navigate to "Roles" from the left navigation pane.
- Search and select the IAM role linked to the Lambda function used for rotation.
- Review the role's permissions and ensure it has access to Secrets Manager.
- 3.
Test Rotation Script: Execute the provided code snippet (mentioned under "Necessary Codes") in your preferred Python environment. Ensure that the code runs successfully and initiates the rotation process for a specific secret.
- 4.
Review CloudTrail Logs: Enable CloudTrail logging for AWS Secrets Manager to capture rotation-related events, such as errors or failures.
- Open the CloudTrail console.
- Select your desired trail.
- Choose "Event history" from the left navigation pane.
- Filter and review logs related to Secrets Manager and the specific secret rotation activity.
- 5.
Utilize CloudWatch Logs: Monitor Secrets Manager rotation activity using CloudWatch Logs for any issues or anomalies.
- Open the CloudWatch console.
- Select "Logs" from the left navigation pane.
- Choose the log group associated with Secrets Manager.
- Analyze the log data for any errors or unexpected behavior during rotation.
By following these steps, you can ensure that Secrets Manager secrets configured with automatic rotation rotate successfully, helping to comply with the AWS Foundational Security Best Practices.