Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. AWS Secrets Manager automatically triggers a rotation this number of days after the previous rotation. If you ever rotate the secret manually, the rotation interval resets and it is best practice to set the rotation every 30 days.

Risk Level: Low
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.AWS.CRY.49
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

SecretManager should have rotationRules.automaticallyAfterDays<=30

REMEDIATION

From console
Perform the following actions in order to change a secret rotation rule:

  1. Sign in to the AWS Secrets Manager Dashboard - https://console.aws.amazon.com/secretsmanager/
  2. Choose the name of the secret to enable rotation.
  3. On the secret details page, in the Rotation configuration section, choose Edit rotation.
  4. On the Edit rotation configuration page, choose Enable automatic rotation.
  5. For Select rotation interval, choose 30 or less days.
  6. Choose a Lambda function from the list.
  7. Under Select which secret will be used to perform the rotation, choose Use a secret that I have previously stored in AWS Secrets Manager.
  8. In the list of secrets that appears, choose the name of your Secret
  9. Choose Save.

From Command Line

aws secretsmanager rotate-secret --secret-id SECRED-ID --rotation-rules AutomaticallyAfterDays=DAYS

From CFT
In your cloudformation template use 'AWS::SecretsManager::RotationSchedule::RotationRules' and set the property 'AutomaticallyAfterDays: Integer' an integer value of 30 or less.
See below example:

Type: AWS::SecretsManager::RotationSchedule
Properties:
...
RotationRules:
AutomaticallyAfterDays: 30
...

From TF

resource "aws_secretsmanager_secret" "rotation-example" {
	rotation_rules {
		-   automatically_after_days = 31
		+   automatically_after_days = 30
	}
}

References

  1. https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
  2. https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/rotate-secret.html#
  4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-rotationschedule-rotationrules.html

Amazon Secrets Manager

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset