Description:

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. Secrets Manager enables AWS to manage the secrets, it also makes it easy to follow the security best practices (such as encrypting secrets and rotating these regularly). Retrieving the secret from Secrets Manager ensures that developers and applications are using the latest version of your secrets.

Rationale:

Amazon Secrets Manager helps you protect sensitive information needed to access your cloud applications, services and resources. Users and applications can use this service to retrieve secrets with a call to Secrets Manager API, enhancing access security by eliminating the need to hard code credentials in plain text.

Impact:

AWS Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments. You can use AWS Secrets Manager to handle database credentials to meet security and compliance requirements in your organization. 

Default Value:

Secrets Manager provides built-in integrations for MySQL, PostgreSQL and Aurora on Amazon Relational Database Service (RDS), and can rotate, manage and retrieve credentials for these database types natively. The Default value is 90 days

Pre-Requisite:

1.AWS Secrets Manager service to create secrets that store

2.Manage Amazon RDS database access credentials.

Remediation:

Test Plan:

Using AWS console 

  1. Login in to AWS Management Console.

  2. Open to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

  3. Select Secrets which is In the left  navigation panel, 

  4. If you find the secret is not used from more than 90 days

  5. Then follow the implementation steps to remove the secrets


Using AWS CLI : 

  1. By using this command you can see the list of Secrets

    aws secretsmanager list-secrets


Implementation Steps:

  1. Sign in to AWS Management Console.

  2. Open to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

  3. Select Secrets which is In the left  navigation panel

  4. Select the secret you want to Delete

  5. Go to Actions tab and select Delete secret 

Using AWS CLI:

  1. By giving this command you can delete the secret but you will have a recovery option untill 7 days from deleting
    aws secretsmanager delete-secret \
        --secret-id MyTestSecret \
        --recovery-window-in-days 7


  2. By giving this command you will not have recovery option
    aws secretsmanager delete-secret \
        --secret-id MyTestSecret \
        ----force-delete-without-recovery


Backout Plan:

If you want to recover the secret the use the command interface to delete the secret. 


Reference: