Ensure that AWS Secret Manager Secret rotation is enabled

AWS Secret Manager is a service to store, retrieve and manage secrets throughout its lifecycle. This services can store, retrieve, rotate, encrypt and monitor the use of secrets. This service will remove the need for developers to on-goingly worry about manual periodic secret rotation in all their sensitive AWS environments. They would be able to simply point their application code to this service to use secrets in the secret manager and let AWS take care of rotation.

Risk Level: Low
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.AWS.CRY.48
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

SecretManager should have rotationEnabled=true

REMEDIATION

From Portal

  1. Sign in to AWS Management Console.
  2. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/
  3. On the Secrets page, choose your secret.
  4. On the Secret details page, in the Rotation configuration section, choose Edit rotation. In the Edit rotation configuration dialog box, do the following:
  5. In the Edit rotation configuration dialog box, do the following:
    a. Turn on Automatic rotation..
    b. Under Rotation schedule, enter your schedule in UTC time zone in either the Schedule expression builder or as a Schedule expression.
    c. Under Rotation function, choose Create function. The Lambda console opens in a new window.
    d. Switch back to the Secrets Manager console to attach the new rotation function to your secret.
    e. For Lambda rotation function, choose the refresh button. Then in the list of functions, choose your new function.
    f. Choose Save.

From TF

resource "aws_secretsmanager_secret" "rotation-example" {
	rotation_rules {
		-   rotation_enabled = false
		+   rotation_enabled = true
	}
}

Note: using value as true under rotation_enabled arguement enables secret rotation.

From Command Line
Perform the following CLI command to set rotation for a secret:

aws secretsmanager rotate-secret --secret-id value --rotation-lambda-arn value --rotation-rules AutomaticallyAfterDays=value

Note: Use the ARN of the Lambda rotation function for secrets that use a Lambda rotation function to rotate.
AutomaticallyAfterDays parameter value describe the number of days between rotations of the secret.

References

  1. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
  2. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html
  3. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_now.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#rotation_enabled
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/rotate-secret.html

Amazon Secrets Manager

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset