Description:
Secrets Manager is a service that allows you to store, manage, and rotate secrets. By default, Secrets Manager does not rotate keys. However, it is important to enable key rotation to help protect your secrets from unauthorized access.
Rationale:
If key rotation is not enabled, then the keys used to encrypt your secrets will never change. This means that if an attacker were to gain access to one of your secrets, they would be able to use the same key to access your secrets indefinitely.
Impact:
If key rotation is not enabled, and an attacker were to gain access to one of your secrets, they could use the same key to access your secrets indefinitely. This could lead to data breaches, financial losses, or even system downtime.
Default Value:
By default, Secrets Manager does not rotate keys.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have the
secrets manager Rotate Secret
permission.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS Secrets Manager console.
- Select the secret that you want to rotate the key for.
- Click Rotate Secret.
- Follow the instructions in the wizard to rotate the key.
Test Plan:
- Verify that the key has been rotated by checking the Key Rotation Status.
- Try to access the secret using the old key.
- If you are unable to access the secret, then the key has been rotated correctly.
Implementation Plan:
- Create a policy that allows the Secrets Manager service to rotate keys.
- Implement the policy by attaching the policy to the Secrets Manager service.
- Monitor the status of the policy to ensure that keys are rotated on a regular basis.
AWS CLI Process:
- Run the following command to rotate the key for a secret:
aws secretsmanager rotate-secret --secret-id <secret-id>
Using AWS GUI:
- Go to the AWS Secrets Manager console.
- Select the secret that you want to rotate the key for.
- Click Rotate Secret.
- Follow the instructions in the wizard to rotate the key.
Backout Plan:
- If you accidentally delete the key, you can restore it by running the following command:
aws secretsmanager restore-secret --secret-id <secret-id> --secret-version <secret-version>
- You can also roll back the policy that allows the Secrets Manager service to rotate keys.
Note:
- This policy only applies to Secrets Manager secrets that do not have key rotation enabled.
- You can also use the AWS CLI or the AWS Secrets Manager API to rotate keys for Secrets Manager secrets.
- For more information, see the Secrets Manager documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html.