Remove Unused Secrets Manager Secrets Rule
This rule focuses on removing any unused Secrets Manager secrets to enhance security.
| Rule | Remove unused Secrets Manager secrets |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description
The rule "Remove unused Secrets Manager secrets" is part of the AWS Foundational Security Best Practices. This rule ensures that any unused or unnecessary Secrets Manager secrets are removed from your AWS account. Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without the upfront investment or on-going costs of operating your own infrastructure.
Unused secrets can pose a security risk as they may contain sensitive information such as passwords, tokens, and database credentials. Removing these unused secrets reduces the attack surface and helps maintain a more secure environment.
Troubleshooting Steps
If this rule is not compliant, you can follow these troubleshooting steps to resolve the issue:
- 1.
Identify the unused Secrets Manager secrets: Review the Secrets Manager console or use the AWS Command Line Interface (CLI) to identify the secrets that are not in use. Ensure that these secrets are no longer needed before proceeding with the removal.
- 2.
Confirm the impact of removing the secrets: Before removing any secret, verify if it is still required by any applications, services, or resources. Coordinate with the respective owners or stakeholders to ensure there are no dependencies on the secret.
- 3.
Update applications and resources: If you find any applications or resources that still rely on the secrets you are planning to remove, update them to use alternate methods for credential management. This may involve updating application configurations, environment variables, or using other secret management approaches.
- 4.
Take backups or create new secrets if necessary: If you need to retain the secret's information for auditing or historical purposes, consider taking backups or creating new secrets with the necessary controls to securely store the information.
- 5.
Remove the unused Secrets Manager secrets: Execute the necessary commands in the AWS CLI to delete the unused secrets. Ensure that you have the required permissions to perform this action.
Necessary Codes
There are no specific codes associated with this rule as it relies on reviewing and managing Secrets Manager secrets using the AWS Management Console or the AWS CLI.
Step-by-Step Guide for Remediation
Follow these steps to remediate the non-compliant issue of the "Remove unused Secrets Manager secrets" rule:
- 1.
Identify unused Secrets Manager secrets
- Open the AWS Management Console.
- Navigate to the Secrets Manager service page.
- Review the list of secrets and identify those that are not in use, or have become obsolete or redundant.
- 2.
Confirm the impact of removing the secrets
- Coordinate with the respective owners or stakeholders to verify that the identified secrets are no longer required for any applications, services, or resources.
- Document any dependencies or potential impact associated with removing the secrets.
- 3.
Update applications and resources
- Modify or update the applications, services, or resources that rely on the secrets you intend to remove.
- Implement alternative methods for credential management, such as using AWS Identity and Access Management (IAM) roles, AWS Systems Manager Parameter Store, or other secure storage options.
- 4.
Take backups or create new secrets if necessary
- If required for auditing or historical purposes, take backups of the secrets information or create new secrets to securely retain the data while ensuring necessary access controls.
- 5.
Remove the unused Secrets Manager secrets
- Use the AWS CLI with appropriate permissions or navigate to the Secrets Manager console.
- Locate the unused secrets identified in step 1.
- Select the secret and choose the option to delete/remove it.
- Confirm the deletion when prompted.
By following these steps, you can ensure unused Secrets Manager secrets are removed, reducing potential security risks and maintaining a more secure environment in accordance with the AWS Foundational Security Best Practices.