Description:
Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule.
Rationale:
In order to rotate the credentials, you had to create new credentials, update the application to use the new credentials, and distributed the updated application. If you had multiple applications with shared credentials and you missed updating one of them, the application fails to work.
Impact:
Secrets Manager ensures that the secret can't be compromised by someone examining your code, since the secret no longer exists in the code. Scheduled Rotation feature enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Default Value:
AWS Secrets Manager has built-in rotation support for:
Amazon RDS databases
Amazon DocumentDB databases
Amazon Redshift clusters
2. But when storing a new secret on secret manager, the rotation setting is chosen to be disabled by default.
Pre-Requisite:
To successfully enable rotation, you must have your network environment configured correctly.
The Lambda function must be able to communicate with your database or service.
The Lambda function must be able to communicate with the Secrets Manager service endpoint.
Remediation:
Test plan:
via Management Console
Sign in to the AWS Management Console.
Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
In the navigation panel, select Secrets.
Choose the Secrets Manager secret that you want to examine, then click on its name (link) to access the resource configuration details.
On the selected secret configuration page, inside the Rotation configuration section.
Check the Rotation status configuration attribute value.
If the attribute value is set to Disabled, the automatic rotation feature is not enabled for the selected Amazon Secrets Manager secret.
Using AWS CLI
Run list-secrets command to list all Secrets Manager secrets available within the selected AWS region:
aws secretsmanager list-secrets --region us-east-1 --query 'SecretList[*].Name'
This returns the names of the secrets available within the region
Run describe-secret command with the name of the secret that you want to examine as identifier and custom query filters to return the automatic rotation feature status for the selected AWS Secrets Manager secret.
aws secretsmanager describe-secret --region us-east-1 --secret-id Nameofthesecret --query 'RotationDisabled'
This return the status of the rotation for that secret. If the rotation is disabled, it returns TRUE.
Implementation steps:
via Management Console
Sign in to the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.
Choose the name of the secret that you want to enable rotation for.
In the Rotation Configuration section, choose Edit rotation. This enables the other controls in this section.
Check the Enable Automatic Rotation and for Select rotation interval, choose one of the predefined values—or choose Custom, and then type the number of days you want between rotations.
For Choose an AWS Lambda function, choose your rotation function from the drop-down list. Else, create one. Return and perform this step when the function is created and ready to associate with your secret and click Save.
This enables rotations on secrets i.e., replaces existing credentials with new credentials without hassle.
Using AWS CLI:
rotate-secret --secret-id <value> [--client-request-token <value>] [--rotation-lambda-arn <value>] [--rotation-rules <value>] [--cli-input-json <value>] [--generate-cli-skeleton <value>]
Example:
aws secretsmanager rotate-secret --secret-id MyTestDatabaseSecret \
--rotation-lambda-arn arn:aws:lambda:us-west-2:1234566789012:function:MyTestRotationLambda \
--rotation-rules AutomaticallyAfterDays=30
Backout Plan:
Disables automatic scheduled rotation and cancels the rotation of a secret if currently in progress.
cancel-rotate-secret
--secret-id <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
Example:
aws secretsmanager cancel-rotate-secret --secret-id MyTestDatabaseSecret
Note:
Secrets Manager is a regional service.
Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen somewhat randomly but is weighted towards the top of the hour and influenced by a variety of factors that help distribute load.