Profile Applicability:

  • Level 1

Description:

AWS Secrets Manager enables the secure storage and management of sensitive information like database credentials, API keys, and access tokens. Regularly rotating secrets ensures that sensitive information is protected from potential exposure due to long-lived credentials. This SOP ensures that secrets stored in AWS Secrets Manager are periodically rotated according to a defined schedule, improving security by reducing the risk of credential compromise.

Rationale:

  • Security: Periodic rotation of secrets minimizes the risk of long-lived credentials being exposed or compromised. Even if a secret is exposed, it will be changed after the rotation period, limiting the window of potential misuse.

  • Compliance: Regulatory frameworks (e.g., SOC 2, HIPAA, PCI-DSS) require periodic rotation of credentials to meet security and privacy standards.

  • Best Practices: Regularly rotating secrets is a key part of security hygiene and a best practice to reduce the attack surface and avoid unauthorized access to sensitive systems.

Impact:

Pros:

  • Increased Security: Regular rotation reduces the risk of a secret being exposed for extended periods.

  • Compliance: Helps meet compliance standards for security credentials.

  • Risk Mitigation: Reduces the potential impact of a compromised secret.

Cons:

  • Potential Disruption: If rotation is misconfigured or if applications are not updated correctly to retrieve the new secret, it may lead to service disruptions.

  • Management Overhead: Setting up and maintaining secret rotation requires additional management and monitoring.

Default Value:

By default, AWS Secrets Manager does not rotate secrets unless configured to do so. A rotation schedule must be explicitly set when creating or modifying the secret.

Pre-requisite:

  • AWS IAM Permissions:

    • secretsmanager:DescribeSecret

    • secretsmanager:PutSecretValue

    • secretsmanager:GetSecretValue

    • secretsmanager:CreateRotationSchedule

  • AWS CLI installed and configured.

  • Lambda function for secret rotation is configured and tested.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Secrets Manager under Services.

  3. In the Secrets Manager Console, select Secrets.

  4. For each secret, check the Rotation section:

    • Ensure that rotation is enabled, and a rotation Lambda function is associated.

    • Review the rotation schedule to confirm it is set to a periodic interval (e.g., every 30 days, 60 days, etc.).

  5. If rotation is not enabled or the schedule is too long, follow the Implementation Steps to enable it.

Using AWS CLI:

  1. To describe the Secrets Manager secret and check if rotation is enabled, run:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'RotationEnabled'

  2. If rotation is not enabled, you can check the rotation schedule using:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'RotationRules'

  3. Review the RotationRules to confirm the interval (e.g., AutomaticallyAfterDays).

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Secrets Manager.

  2. In the Secrets Manager Console, select the secret for which you want to enable rotation.

  3. Under the Rotation section, click Enable rotation.

  4. Choose a Lambda function to perform the rotation (you can either use the provided AWS Lambda functions or create a custom one).

  5. Set a rotation schedule (e.g., every 30 days).

  6. Save the changes to enable automatic rotation.

Using AWS CLI:

  1. To enable rotation for a secret, use the following command:

    aws secretsmanager rotate-secret \
  --secret-id <secret-id> \
  --rotation-lambda-arn <lambda-function-arn> \
  --rotation-rules AutomaticallyAfterDays=<number-of-days>

  1. To create a Lambda function for secret rotation, you can use a pre-built Lambda function provided by AWS or create a custom one that handles rotating the secret. Refer to the documentation for creating a rotation Lambda function: AWS Lambda Secrets Manager Rotation Function.

  2. Verify that the rotation is configured properly by running:

    aws secretsmanager describe-secret --secret-id <secret-id> --query 'RotationRules'

  3. Ensure the rotation schedule is active and that the Lambda function is executing correctly by reviewing CloudWatch Logs.

Backout Plan:

Using AWS Console:

  1. If enabling periodic rotation causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Secrets Manager, select the secret, and go to Edit rotation.

  3. Disable rotation and save the changes.

  4. Ensure that no rotation policy is applied to the secret.

Using AWS CLI:

  1. To disable periodic rotation, run the following command:

    aws secretsmanager put-rotation-policy --secret-id <SECRET_ID> --rotation-enabled false --region <REGION>

  2. Verify that rotation is now disabled by describing the secret:

    aws secretsmanager describe-secret --secret-id <SECRET_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.