Description:
Secrets Manager enables AWS to manage the secrets, it also makes it easy to follow the security best practices (such as encrypting secrets and rotating these regularly). It helps the customer to manage, rotate and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
As System Admin or IT admin, you can store and manage access to secrets securely and at scale. You can audit and monitor the use of secrets and rotate secrets without any risk of breaking applications as a Security Admins. Developers are avoiding dealing with secrets in their applications.
Secret Manager can configure to automatically rotate the secret for a secured service or database. It knows how to rotate secrets for the relational database. However, secrets manager also can enable you to rotate secrets for other databases or third-party services.
When you scheduled the rotation of secrets some time it gives an error because this rotating process of secrets in AWS Secrets Manager requires to use of a Lambda function that defines how to interact with the database or service that owns the secret. So you must ensure that Secret Manager scheduled rotation was successful.
AWS Config is a service that enables you to assess, audit and evaluate the configuration of your AWS resources . It monitors and records your AWS resource.
Rationale:
When you enable or schedule the rotation of the secrets manager It helps you in the security and compliance requirements. e.g when we built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB and rotates this database credentials on your behalf automatically. You can customize Lambda functions to extend secrets manager rotation to other secret types such as API keys and OAuth tokens. Always try to use the latest version of your secrets and these secret retrieves from Secrets Manager.
It can be predicted only the date of the next rotation, not the time. Secrets Manager schedules the next rotation when the previous one is complete.
There are many reason to fail the rotation sometimes it's an internal failure (e.g. when the rotation function generates a new password which is only a characters type but in the database, the engine does not accept it. This type of error appears as an internal failure).
Due to Network configuration issues, the Lambda function will not able to communicate with either your secured database/service or the Secrets Manager service endpoint, on the public internet.
The rotation might also fail if you don’t format the secret value as a JSON structure as expected by the rotation function. So you must generate the rotation function in the right format.
You create rule in AWS config to check the status of Secret function into the Secret Manager is rotation successful or not.
Impact:
When you scheduled rotation your Amazon Secrets Manager automatically rotate on the scheduled time which helps to reduce access. If you are sure about rotation successively work then no third-part
Default Value:
By default there are no secret function in the Secrete manager. When you create this secrete function in the AWS secrete Manager by automatic rotation is selected disable option. When we choose Enable by default there only three option in the select rotation interval menu list
We can customize the rotation interval and the secret will be rotated based on the custom time
By default AWS config is not contain any rule for secret manager.
Audit:
Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.
Step 2: Click on Rule in the left Navigation pane
Step 3: In the rule we check rule exist or not “secretsmanager-scheduled-rotation-success-check”
if not perform the Implementation steps.
Via CLI Audit
To get details for an AWS Config rule
The following command returns details for an AWS Config rule named secretsmanager-scheduled-rotation-success-check
:
1aws configservice describe-config-rules \ 2--config-rule-names secretsmanager-scheduled-rotation-success-check
Remediation:
Pre-Requisite:
Before create secrets you should have customer managed keys
You have secrets function in Secret Manager which already enabled automatic rotation schedule
For schedule the rotation of secrets you need AWS Lambda function which has permission to rotate this secret keys.
Implementation Steps:
Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.
Step 2: Click on Rule in the left Navigation pane
Step 3: Click on Add Rule button
Step 4: Select Add AWS managed Rules
Step 5: Scroll down in AWS Managed Rules search “secretsmanager-scheduled-rotation-success-check” and then select name secretsmanager-scheduled-rotation-success-check
Step 6: Click on Next button
Step 7: In detail no need to change so click on Next button
Step 8: Review it and click on Add rule button
Via CLI
Add or updates the rules we use put-config-rule
To add an AWS managed Config rule
1aws configservice put-config-rule \ 2--config-rule file://RequiredTagsForSecretManager.json
in the json file we write
1{ 2 "ConfigRuleName": "secretsmanager-scheduled-rotation-success-check", 3 "Description": "A config rule that checks and verifies whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.", 4 "Source": { 5 "Owner": "AWS", 6 "SourceIdentifier": "SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK", 7 "SourceDetails": [] 8 }, 9 "Scope": { 10 "ComplianceResourceTypes": [ 11 "AWS::SecretsManager::Secret" 12 ] 13 }, 14 "InputParameters": "{}" 15}
Backout Plan
Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.
Step 2: Click on Rule in the left Navigation pane
Step 3: Select rules to delete or remove from AWS config then click on Action menu list
Step 4: Click on Delete rule
Step 5: For confirmation type delete and click on delete button
Via CLI
To delete an AWS Config rule
1aws configservice delete-config-rule \ 2--config-rule-name secretsmanager-scheduled-rotation-success-check