Description:
This policy checks whether AWS Secrets Manager secret has rotation enabled. The rule also checks an optional maximumAllowedRotationFrequency parameter. If the parameter is specified, the rotation frequency of the secret is compared with the maximum allowed frequency.
Rationale:
AWS Secrets Manager enables to manage the secrets . It helps the client to manage, rotate and retrieve database credentials, API keys, and other secrets. When you enable or schedule the rotation of the secrets manager It helps you in the security and compliance requirements. Automatically rotating your Amazon Secrets Manager secrets can significantly reduce the chances that a compromised set of credentials can be utilized without your knowledge to access services and resources (AWS-based or third-party) that you use for your applications.
Impact:
Rotates the secrets stored in the AWS Secrets Manager which significantly reduces the chances that a compromised set of credentials can be utilized without your knowledge to access services and resources.
Default Value:
By default the rotation of the secrets is disabled.
Audit:
To Determine if automatic rotation is enabled on your account do the following steps:
Sign in to the AWS Management Console.
Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation menu, select Secrets.
Choose the Secrets Manager secret that you want to observe, then click on its name (link) to access the resource configuration details.
On the selected secret configuration page, inside the Rotation configuration section, check the Rotation status configuration attribute value. If the attribute value is set to Disabled, the automatic rotation feature is not enabled for the selected Amazon Secrets Manager secret.
Via CLI:
aws secretsmanager describe-secret
--region <region>
--secret-id <id>
--query 'RotationEnabled'
Remediation:
Pre-requisites:
Permissions for users configuring rotation compared to users triggering rotation.
Permissions associated with the Lambda rotation function.
Implementation Steps :
Sign in to AWS Management Console.
Navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation panel, select Secrets.
- Choose the secret that you want to reconfigure , then click on its name to access the secret configuration details.
- On the selected secret configuration page, within Rotation configuration section, click Edit rotation to initiate the automatic rotation setup process
- Inside Edit rotation configuration dialog box, perform the following:
- Select Enable automatic rotation to enable the feature.
- Select a predefined (e.g. 30, 60, 90 days) or a custom value for the rotation interval from the Select rotation interval dropdown list.
- Select Create a new Lambda function to perform rotation option to create your own custom Lambda function for rotation or select Use an existing Lambda function to perform rotation to implement an AWS Lambda function that you have previously created for rotating this type of secret.
- Click Save to apply the changes.
Via CLI:
aws secretsmanager rotate-secret
--region us-east-1
--secret-id <id>
--rotation-lambda-arn <lambda-arn> :function:SecretsManager-cc-secret-rotation-function
--rotation-rules AutomaticallyAfterDays=30
Backout plan:
Sign in to AWS Management Console.
Navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation panel, select Secrets.
Choose the secret that you want to change , then click on its name to access the secret configuration details.
On the selected secret configuration page, within Rotation configuration section, click Edit rotation to initiate the automatic rotation setup process.
Then Disable automatic rotation .
References:
Rotate your AWS Secrets Manager secrets - AWS Secrets Manager