Ensure that AWS Secret Manager Secret rotation interval is smaller than 30 days

AWS Secrets Manager automatically triggers a rotation this number of days after the previous rotation. If you ever rotate the secret manually, the rotation interval resets and it is best practice to set the rotation to after 30 days.

Risk Level: Low
Cloud Entity: Amazon Secrets Manager
CloudGuard Rule ID: D9.TF.AWS.CRY.49
Covered by Spectral: No
Category: Security, Identity, & Compliance


aws_secretsmanager_secret_rotation should have rotation_rules.automatically_after_days<=30


Perform the following actions in order to change a secret rotation rule:

  1. Sign in to the AWS Secrets Manager Dashboard - https://console.aws.amazon.com/secretsmanager/
  2. Choose the name of the secret to enable rotation.
  3. On the secret details page, in the Rotation configuration section, choose Edit rotation.
  4. On the Edit rotation configuration page, choose Enable automatic rotation.
  5. For Select rotation interval, choose 30 days.
  6. Choose a Lambda function from the list.
  7. Under Select which secret will be used to perform the rotation, choose Use a secret that I have previously stored in AWS Secrets Manager.
  8. In the list of secrets that appears, choose the name of your Secret
  9. Choose Save.

From CLI
aws secretsmanager rotate-secret --secret-id <value> --rotation-rules AutomaticallyAfterDays=<val less than 30>

Reference: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/rotate-secret.html

Amazon Secrets Manager

AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure, audit, and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

Compliance Frameworks

  • Terraform AWS CIS Foundations