Rule: Secrets Manager secrets should be rotated within a specified number of days
This rule ensures Secrets Manager secrets are regularly rotated for security measures.
| Rule | Secrets Manager secrets should be rotated within a specified number of days |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
Secrets Manager is a service provided by AWS that helps you protect sensitive information such as API keys, passwords, and database credentials. As per the AWS Foundational Security Best Practices, it is essential to regularly rotate your secrets to mitigate the risk of unauthorized access. This rule ensures that the secrets stored in Secrets Manager are rotated within a specified number of days.
Troubleshooting Steps:
- 1.
Check Secrets Manager Rotation Configuration: First, check the current rotation configuration of Secrets Manager to ensure that it is enabled and set to rotate secrets within the specified number of days.
- 2.
Verify Secret Rotation Configuration: Confirm that the individual secrets that you want to rotate have a rotation configuration set up. This can be done by checking the rotation configuration details of each secret in the Secrets Manager console.
- 3.
Review IAM Permissions: Ensure that the IAM roles and policies associated with Secrets Manager have the necessary permissions for secret rotation. Verify that the IAM user or role has the required permissions to retrieve, update, and rotate secrets.
- 4.
Check Secret Rotation Status: If a secret rotation fails, it is essential to review the rotation status and error messages. Check the AWS Secrets Manager rotation history to identify any errors or issues encountered during the rotation process.
Necessary Code:
The following AWS CLI command can be used to enable secret rotation for a specific secret:
aws secretsmanager update-secret-version-stage --secret-id <your-secret-id> --version-stage AWSCURRENT --remove-from-version-id <your-version-id>
This command removes the specified secret version from the AWSPENDING stage. Once this is done, the current secret version will be updated, and rotation will continue as per the rotation configuration.
Remediation Steps:
- 1.
Enable Secret Rotation: If secret rotation is not enabled for a specific secret, enable it through the following steps:
- Open the AWS Secrets Manager console.
- Select the desired secret.
- Click on the "Rotate secret" button.
- Follow the on-screen instructions to enable rotation and specify the rotation schedule.
- 2.
Update Rotation Configuration: If the rotation configuration needs to be updated, perform the following steps:
- Open the AWS Secrets Manager console.
- Select the desired secret.
- Click on the "Rotate secret" button.
- Modify the rotation schedule as per your requirements.
- Save the changes.
- 3.
Troubleshoot Failed Rotations: If a rotation fails, follow the troubleshooting steps mentioned above to identify and resolve the issues encountered during the rotation process.
- 4.
Validate Rotation: After making any changes or resolving issues, it is crucial to validate the rotation to ensure that it is working correctly. Perform the following steps:
- Open the AWS Secrets Manager console.
- Select the desired secret.
- Click on the "Test/Validate secret" button.
- Follow the on-screen instructions to test and validate the rotation.
By following these steps, you can ensure that secrets stored in AWS Secrets Manager are automatically rotated within the specified number of days, thereby enhancing the security of your sensitive information.