Profile Applicability:

  • Level 1

Description:

AWS Secrets Manager helps securely store and manage sensitive information such as database credentials, API keys, and other secrets. Secret rotation is the process of automatically changing the credentials stored in Secrets Manager to reduce the risk of unauthorized access. This SOP ensures that secret rotation is enabled for Secrets Manager secrets, thereby improving security by automatically rotating secrets and reducing the likelihood of a compromised secret.

Rationale:

  • Security: Enabling secret rotation ensures that credentials are changed regularly, reducing the chances of a secret being exposed or compromised.

  • Compliance: Many regulatory frameworks (e.g., SOC 2, PCI-DSS) require that secrets be rotated periodically to ensure secure handling of sensitive information.

  • Risk Management: Rotating secrets automatically reduces human errors and the risks associated with managing secrets manually.

Impact:

Pros:

  • Improved Security: Regularly rotating secrets reduces the risk of long-lived credentials being exposed.

  • Automated Process: Eliminates manual processes and ensures consistency in rotating credentials.

  • Compliance: Meets industry regulations requiring periodic credential rotation.

Cons:

  • Service Disruption: If the rotation is not configured properly, services using these secrets may experience interruptions.

  • Complexity: Requires correct integration with the services using the secrets, ensuring they can handle the rotated values.

Default Value:

By default, Secrets Manager does not enable automatic rotation for newly created secrets. You need to explicitly configure a rotation schedule during secret creation or modification.

Pre-requisite:

  • AWS IAM Permissions:

    • secretsmanager:DescribeSecret

    • secretsmanager:PutSecretValue

    • secretsmanager:GetSecretValue

  • AWS CLI installed and configured.

  • Secrets Manager secret is created and operational.

  • Lambda function for secret rotation should be implemented (if not, create one as described in the Implementation Steps).

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Secrets Manager under Services.

  3. In the Secrets Manager Console, select Secrets.

  4. For each secret, check the Rotation section:

    • If rotation is enabled, you will see the Rotation Lambda function and rotation schedule configured.

    • If rotation is not enabled, the secret will show "Rotation not enabled" under the Rotation section.

  5. If rotation is not enabled, follow the steps in the Implementation Steps below to enable it.

Using AWS CLI:

  1. To describe the Secrets Manager secret and check if rotation is enabled, run:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'RotationEnabled'

  2. The output should show:

  • true if rotation is enabled.

  • false if rotation is not enabled.

  1. If rotation is not enabled, proceed with enabling it using the steps in the Implementation Steps.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Secrets Manager.

  2. In the Secrets Manager Dashboard, select the secret you want to enable rotation for.

  3. Click on Rotation in the Secret details section.

  4. Click Edit rotation and enable rotation for the secret.

    • Select an existing Lambda function or create a new one for secret rotation.

    • Configure the rotation schedule (e.g., every 30 days).

  5. Save the changes to enable rotation for the secret.

Using AWS CLI:

  1. To enable rotation for a secret, use the following command:

    aws secretsmanager rotate-secret \
  --secret-id <secret-id> \
  --rotation-lambda-arn <lambda-function-arn> \
  --rotation-rules AutomaticallyAfterDays=<number-of-days>

  1. To create a Lambda function for secret rotation, refer to the AWS documentation on creating Lambda functions for secret rotation: AWS Lambda Secrets Manager Rotation Function.

  2. After the Lambda function is set up, enable rotation and configure the rotation schedule.

  3. To verify that rotation is enabled, run:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'RotationEnabled'

Backout Plan:

Using AWS Console:

  1. If enabling rotation causes issues, sign in to the AWS Management Console.

  2. Navigate to Secrets Manager, select the secret, and go to Edit rotation.

  3. Disable rotation and save the changes.

  4. Ensure that no rotation policy is applied to the secret.

Using AWS CLI:

  1. To disable rotation for a secret, use the following command:

    aws secretsmanager put-rotation-policy --secret-id <SECRET_ID> --rotation-enabled false --region <REGION>

  2. Verify that rotation is now disabled by describing the secret:

    aws secretsmanager describe-secret --secret-id <SECRET_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.