Profile Applicability:

  • Level 1

Description:

AWS Secrets Manager helps store and manage sensitive information such as database credentials, API keys, and other secrets. Unused or orphaned secrets can represent a security risk, as they might contain outdated or unnecessary credentials that could be exposed or exploited. This SOP ensures that all secrets in Secrets Manager are actively used and necessary for your applications, thereby reducing the potential attack surface by cleaning up unused secrets.

Rationale:

  • Security: Keeping unused secrets introduces unnecessary risk to the environment. Unused secrets may inadvertently be exposed, and they could be vulnerable to misuse if not managed properly.

  • Compliance: For many security and compliance standards (e.g., SOC 2, HIPAA), it is important to manage sensitive data actively and remove any unused or unnecessary credentials.

  • Best Practices: Removing unused secrets helps to maintain a cleaner, more secure environment by ensuring that only actively needed secrets are stored and used.

Impact:

Pros:

  • Improved Security: Deleting unused secrets reduces the risk of unauthorized access to expired or unnecessary credentials.

  • Simplified Management: Actively used secrets are easier to manage, and removing unused ones simplifies secret management tasks.

  • Reduced Attack Surface: Limiting the number of secrets reduces the chance of a secret being compromised.

Cons:

  • Potential Service Impact: If a secret is mistakenly identified as unused and deleted, it could lead to application errors or interruptions in service. Therefore, thorough testing and validation are needed before removal.

  • Operational Overhead: Continuously tracking and auditing unused secrets can add administrative overhead, especially in large environments with many secrets.

Default Value:

By default, Secrets Manager does not track whether secrets are actively used or not. It is up to the administrator to identify unused secrets and manage their lifecycle effectively.

Pre-requisite:

  • AWS IAM Permissions:

    • secretsmanager:ListSecrets

    • secretsmanager:DescribeSecret

    • secretsmanager:DeleteSecret

  • AWS CLI installed and configured.

  • Monitoring or audit systems in place to track the usage of secrets.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Secrets Manager under Services.

  3. In the Secrets Manager Console, select Secrets.

  4. For each secret, check for its usage:

    • Review application code or integration logs to ensure the secret is being actively used.

    • For example, check if credentials stored in Secrets Manager are still being used by associated services like Amazon RDS, Amazon S3, etc.

  5. If a secret appears to be unused, ensure it is no longer required and proceed with its deletion or deactivation as per the Implementation Steps.

Using AWS CLI:

  1. To list all the secrets, run:

    aws secretsmanager list-secrets --query 'SecretList[*].ARN'

  2. For each secret, check its last used date (if applicable) by running:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'LastAccessedDate'

  3. Review the LastAccessedDate. If the date is too old or if there is no activity for an extended period, consider that secret as unused.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Secrets Manager.

  2. In the Secrets Manager Console, select the secret you want to check for usage.

  3. Check the LastAccessedDate in the Secret Details tab or refer to usage logs from the application that integrates with the secret.

  4. If the secret is no longer being used:

    • Confirm with stakeholders that it is indeed no longer needed.

    • Delete the secret or mark it for deletion, ensuring it does not disrupt any applications:

      • Click Delete Secret.

      • You can configure a deletion window (e.g., 30 days) to avoid accidental deletions.

  5. Save and repeat the process for other secrets.

Using AWS CLI:

  1. To identify unused secrets, you can use the describe-secret command to check the LastAccessedDate for each secret:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'LastAccessedDate'

  2. If a secret is identified as unused, delete it by running:

    aws secretsmanager delete-secret --secret-id <secret-id> --force-delete-without-recovery

  3. If you prefer to retain the secret for some time before deletion, use:

    aws secretsmanager delete-secret --secret-id <secret-id> -- recovery-window-in-days <number-of-days>

  4. Ensure no critical applications are impacted by removing the secret. Verify by testing any dependent services after deletion.

Backout Plan:

Using AWS Console:

  1. If a secret is mistakenly deleted or deemed necessary after being removed, sign in to AWS Management Console.

  2. Navigate to Secrets Manager and select Recover deleted secrets.

  3. If the secret was not permanently deleted, you can restore it back to its original state.

Using AWS CLI:

  1. If a secret was deleted by mistake and you need to recover it, run the following command to recover it (if still available):

    aws secretsmanager restore-secret --secret-id <SECRET_ID> --region <REGION>

  2. Verify that the secret has been restored by describing the secret:

    aws secretsmanager describe-secret --secret-id <SECRET_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.