Secret Manager Secrets Rotation Enabled

More Info:

Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). Secrets Manager rotation is the automatic process that periodically change your secrets data to make it more difficult for an attacker to access the services and resources secured with these secrets. With Amazon Secrets Manager you don’t have to manually change the secret and update it on all of your clients. Instead, the Secrets Manager service uses an AWS Lambda function to perform for you all of the steps required for rotation, on a regular schedule (predefined or custom).

Risk Level

Medium

Address

Security

Compliance Standards

ISO27001, AWSWAF, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

The AWS Secret Manager is a service that enables you to store and manage secrets such as database credentials, API keys, and other sensitive data. One of the key features of Secret Manager is the ability to rotate secrets automatically, which helps to prevent unauthorized access to sensitive data.If the misconfiguration is “Secret Manager Secrets Rotation Enabled”, it means that secrets rotation is not enabled for the AWS Secret Manager. To remediate this misconfiguration, you can follow these steps using the AWS CLI:Step 1: List all the secrets in the Secret Manager

aws secretsmanager list-secrets

Step 2: Enable rotation for each secret

aws secretsmanager rotate-secret --secret-id <SECRET_ID> --rotation-rules '{"AutomaticallyAfterDays": 30}'

Note: Replace <SECRET_ID> with the actual ID of the secret.Step 3: Verify that rotation is enabled for the secret

aws secretsmanager describe-secret --secret-id <SECRET_ID>

This command should return the details of the secret, including the rotation configuration.Step 4: Repeat steps 2 and 3 for all the secrets in the Secret ManagerEnabling secret rotation is an important security best practice, and it helps to ensure that sensitive data is protected from unauthorized access.

Using Python

To remediate the “Secrets Manager Secrets Rotation Enabled” misconfiguration in AWS using Python, follow these steps:

Open the AWS Management Console and navigate to the AWS Secrets Manager service.
Identify the secret(s) that have rotation enabled and note their ARN(s).
Use the AWS SDK for Python (Boto3) to disable rotation for each identified secret. Here’s an example code snippet:

import boto3

# Replace <SECRET_ARN> with the ARN of the secret to remediate
secret_arn = '<SECRET_ARN>'

# Create a Secrets Manager client
client = boto3.client('secretsmanager')

# Disable rotation for the secret
response = client.update_secret(
    SecretId=secret_arn,
    RotationLambdaARN='',
    RotationRules={
        'AutomaticallyAfterDays': None
    }
)

print(response)

Repeat step 3 for each identified secret with rotation enabled.
Verify that rotation is now disabled for each secret by checking their configuration in the AWS Management Console or using the Boto3 SDK.

Note: Disabling rotation for a secret means that it will no longer automatically rotate its credentials. You may need to manually rotate the credentials periodically to maintain security.

Additional Reading:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Secret Manager Secrets Rotation Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: