Description:

Secrets Manager enables AWS to manage the secrets, it also makes it easy to follow the security best practices (such as encrypting secrets and rotating these regularly). It helps the customer to manage, rotate and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

As System Admin or IT admin, you can store and manage access to secrets securely and at scale. You can audit and monitor the use of secrets and rotate secrets without any risk of breaking applications as a Security Admins. Developers are avoiding dealing with secrets in their applications.

Secret Manager can configure to automatically rotate the secret for a secured service or database. It knows how to rotate secrets for the relational database. However, secrets manager also can enable you to rotate secrets for other databases or third-party services.

When you scheduled the rotation of secrets some time it gives an error because this rotating process of secrets in AWS Secrets Manager requires to use of a Lambda function that defines how to interact with the database or service that owns the secret. So you must ensure that Secret Manager scheduled rotation was successful.

AWS Config is a service that enables you to assess, audit and evaluate the configuration of your AWS resources . It monitors and records your AWS resource. 

Rationale:

When you enable or schedule the rotation of the secrets manager It helps you in the security and compliance requirements. e.g when we built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB and rotates this database credentials on your behalf automatically. You can customize Lambda functions to extend secrets manager rotation to other secret types such as API  keys and OAuth tokens. Always try to use the latest version of your secrets and these secret retrieves from Secrets Manager.

It can be predicted only the date of the next rotation, not the time. Secrets Manager schedules the next rotation when the previous one is complete.

There are many reason to fail the rotation sometimes it's an internal failure (e.g. when the rotation function generates a new password which is only a characters type but in the database, the engine does not accept it. This type of error appears as an internal failure). 

Due to Network configuration issues, the Lambda function will not able to communicate with either your secured database/service or the Secrets Manager service endpoint, on the public internet.

The rotation might also fail if you don’t format the secret value as a JSON structure as expected by the rotation function. So you must generate the rotation function in the right format.

You create rule in AWS config to check the status of Secret function into the Secret Manager is rotation successful or not.

Impact:

When you scheduled rotation your Amazon Secrets Manager automatically rotate on the scheduled time which helps to reduce access. If you are sure about rotation successively work then no third-part 

Default Value:

  • By default there are no secret function in the Secrete manager. When you create this secrete function in the AWS secrete Manager by automatic rotation is selected disable option. When we choose Enable by default there only three option in the select rotation interval menu list 

  • We can customize the rotation interval and the secret will be rotated based on the custom time

  • By default AWS config is not contain any rule for secret manager. 

Audit:

Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.

Step 2: Click on Rule in the left Navigation pane

Step 3: In the rule we check rule exist or not “secretsmanager-scheduled-rotation-success-check”   

if not perform the Implementation steps.

Via CLI Audit

To get details for an AWS Config rule

The following command returns details for an AWS Config rule named secretsmanager-scheduled-rotation-success-check:

1aws configservice describe-config-rules \ 2--config-rule-names secretsmanager-scheduled-rotation-success-check 

Remediation:

Pre-Requisite:

  1. Before create secrets you should have customer managed keys

  2. You have secrets function in Secret Manager which already enabled automatic rotation schedule

  3. For schedule the rotation of secrets you need AWS Lambda function which has  permission to rotate this secret keys.

Implementation Steps:

Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.

Step 2: Click on Rule in the left Navigation pane

Step 3: Click on Add Rule button 

Step 4: Select Add AWS managed Rules

Step 5: Scroll down in AWS Managed Rules search “secretsmanager-scheduled-rotation-success-check” and then select name secretsmanager-scheduled-rotation-success-check

Step 6: Click on Next button

Step 7: In detail no need to change so click on Next button

Step 8: Review it and click on Add rule button

 

Via CLI

Add or updates the rules we use put-config-rule

To add an AWS managed Config rule

 

1aws configservice put-config-rule \ 2--config-rule file://RequiredTagsForSecretManager.json 

in the json file we write 

12    "ConfigRuleName": "secretsmanager-scheduled-rotation-success-check", 3    "Description": "A config rule that checks and verifies whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.", 4    "Source": { 5        "Owner": "AWS", 6        "SourceIdentifier": "SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK", 7        "SourceDetails": [] 8    }, 9    "Scope": { 10        "ComplianceResourceTypes": [ 11            "AWS::SecretsManager::Secret" 12        ] 13    }, 14    "InputParameters": "{}" 15

Backout Plan

Step 1: Sign in to the AWS Management Console and go to AWS config dashboard at https://console.aws.amazon.com/config/.

Step 2: Click on Rule in the left Navigation pane

Step 3: Select rules to delete or remove from AWS config then click on Action menu list 

Step 4: Click on Delete rule 

Step 5: For confirmation type delete and click on delete button 

Via CLI

To delete an AWS Config rule

1aws configservice delete-config-rule \ 2--config-rule-name secretsmanager-scheduled-rotation-success-check 

Reference:

  1. configservice — AWS CLI 1.20.1 Command Reference 

  2. secretsmanager-scheduled-rotation-success-check - AWS Config 

  3. Rotating your AWS Secrets Manager secrets - AWS Secrets Manager 

  4. Rotating AWS Secrets Manager secrets for one user with a single password - AWS Secrets Manager