Rule: Secrets Manager secrets should have automatic rotation enabled
This rule enforces automatic rotation for Secrets Manager secrets.
| Rule | Secrets Manager secrets should have automatic rotation enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
This rule requires that all secrets stored in AWS Secrets Manager must have automatic rotation enabled to comply with the NIST 800-53 Revision 5 security standard. Enabling automatic rotation ensures that secrets such as passwords, database credentials, API keys, or any sensitive information stored in Secrets Manager are regularly updated to mitigate potential security risks.
Troubleshooting Steps
If automatic rotation is not enabled for Secrets Manager secrets, follow these troubleshooting steps:
- 1.
Verify Secrets Manager configuration: Confirm that AWS Secrets Manager service is properly set up and configured in your AWS account.
- 2.
Check for existing secrets: Identify which secrets are stored in Secrets Manager that may need rotation. This could include secrets used for databases, third-party integrations, or other applications.
- 3.
Review secret rotation requirements: Understand the specific requirements for each secret, such as rotation frequency and rotation mechanism, in compliance with NIST 800-53 Revision 5.
- 4.
Check rotation status: Determine if automatic rotation is already enabled for each secret. You can do this by reviewing the rotation configuration in Secrets Manager console or using AWS CLI/API commands.
- 5.
Rotate secrets manually: If automatic rotation is not enabled, manually rotate the secrets according to the defined rotation frequency. Make sure to follow best practices for securely rotating secrets, such as generating new passwords, creating new database credentials, or updating keys without interrupting the application functionality.
- 6.
Enable automatic rotation: Once the manual rotation is complete, enable automatic rotation for each secret in Secrets Manager. This will ensure that future rotations are automatically handled by Secrets Manager based on the defined rotation configuration.
Necessary Code
To enable automatic rotation for a secret using AWS CLI, use the following command:
aws secretsmanager rotate-secret --secret-id [YOUR_SECRET_ID] --rotation-rules file://rotation-rules.json
[YOUR_SECRET_ID]Step-by-step Guide for Remediation
Follow these steps to remediate the automatic rotation issue for Secrets Manager secrets:
- 1.
Identify the secrets stored in Secrets Manager that require automatic rotation.
- 2.
Determine the rotation frequency and mechanism required for each secret as per NIST 800-53 Revision 5.
- 3.
Manually rotate each secret by generating new passwords, credentials, or keys as needed.
- 4.
Once manual rotation is complete, enable automatic rotation for each secret in Secrets Manager using the AWS CLI command mentioned above.
- 5.
Verify that automatic rotation is enabled by checking the rotation configuration of the secrets.
- 6.
Monitor the automatic rotation process to ensure that secrets are being rotated as per the defined frequency.
- 7.
Regularly review and update the rotation mechanism and frequency based on changing security requirements and best practices.
By following these steps, you can ensure that all secrets stored in AWS Secrets Manager have automatic rotation enabled, thus complying with the NIST 800-53 Revision 5 security standard.