Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days
Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. AWS Secrets Manager automatically triggers a rotation this number of days after the previous rotation. If you ever rotate the secret manually, the rotation interval resets and it is best practice to set the rotation every 30 days.
Risk Level: Low
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.AWS.CRY.49
Category: Security, Identity, & Compliance
GSL LOGIC
SecretManager should have rotationRules.automaticallyAfterDays<=30
REMEDIATION
From console
Perform the following actions in order to change a secret rotation rule:
- Sign in to the AWS Secrets Manager Dashboard - https://console.aws.amazon.com/secretsmanager/
- Choose the name of the secret to enable rotation.
- On the secret details page, in the Rotation configuration section, choose Edit rotation.
- On the Edit rotation configuration page, choose Enable automatic rotation.
- For Select rotation interval, choose 30 or less days.
- Choose a Lambda function from the list.
- Under Select which secret will be used to perform the rotation, choose Use a secret that I have previously stored in AWS Secrets Manager.
- In the list of secrets that appears, choose the name of your Secret
- Choose Save.
From Command Line
aws secretsmanager rotate-secret --secret-id SECRED-ID --rotation-rules AutomaticallyAfterDays=DAYS
From CFT
In your cloudformation template use 'AWS::SecretsManager::RotationSchedule::RotationRules' and set the property 'AutomaticallyAfterDays: Integer' an integer value of 30 or less.
See below example:
Type: AWS::SecretsManager::RotationSchedule
Properties:
...
RotationRules:
AutomaticallyAfterDays: 30
...
From TF
resource "aws_secretsmanager_secret" "rotation-example" {
rotation_rules {
- automatically_after_days = 31
+ automatically_after_days = 30
}
}
References
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
- https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/rotate-secret.html#
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html
Amazon Secrets Manager
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago