> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Manager Secrets Rotation Enabled

### More Info:

Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). Secrets Manager rotation is the automatic process that periodically change your secrets data to make it more difficult for an attacker to access the services and resources secured with these secrets. With Amazon Secrets Manager you don't have to manually change the secret and update it on all of your clients. Instead, the Secrets Manager service uses an AWS Lambda function to perform for you all of the steps required for rotation, on a regular schedule (predefined or custom).

### Risk Level

Medium

### Address

Security

### Compliance Standards

ISO27001, AWSWAF, SOC2, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the "Secret Manager Secrets Rotation Enabled" misconfiguration for AWS using the AWS console, please follow these steps:

        1. Log in to the AWS Management Console.
        2. Navigate to the AWS Secrets Manager service from the Services menu.
        3. Select the secret for which you want to disable rotation.
        4. Click on the "Disable rotation" button in the "Rotation configuration" section.
        5. In the confirmation dialog box, click on the "Disable rotation" button to confirm the action.

        Once you have completed these steps, the secret will no longer be set to rotate automatically, and you will need to manually rotate the secret when necessary.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The AWS Secret Manager is a service that enables you to store and manage secrets such as database credentials, API keys, and other sensitive data. One of the key features of Secret Manager is the ability to rotate secrets automatically, which helps to prevent unauthorized access to sensitive data.

        If the misconfiguration is "Secret Manager Secrets Rotation Enabled", it means that secrets rotation is not enabled for the AWS Secret Manager. To remediate this misconfiguration, you can follow these steps using the AWS CLI:

        Step 1: List all the secrets in the Secret Manager

        ```
        aws secretsmanager list-secrets
        ```

        Step 2: Enable rotation for each secret

        ```
        aws secretsmanager rotate-secret --secret-id <SECRET_ID> --rotation-rules '{"AutomaticallyAfterDays": 30}'
        ```

        Note: Replace `<SECRET_ID>` with the actual ID of the secret.

        Step 3: Verify that rotation is enabled for the secret

        ```
        aws secretsmanager describe-secret --secret-id <SECRET_ID>
        ```

        This command should return the details of the secret, including the rotation configuration.

        Step 4: Repeat steps 2 and 3 for all the secrets in the Secret Manager

        Enabling secret rotation is an important security best practice, and it helps to ensure that sensitive data is protected from unauthorized access.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the "Secrets Manager Secrets Rotation Enabled" misconfiguration in AWS using Python, follow these steps:

        1. Open the AWS Management Console and navigate to the AWS Secrets Manager service.

        2. Identify the secret(s) that have rotation enabled and note their ARN(s).

        3. Use the AWS SDK for Python (Boto3) to disable rotation for each identified secret. Here's an example code snippet:

        ```python theme={null}
        import boto3

        # Replace <SECRET_ARN> with the ARN of the secret to remediate
        secret_arn = '<SECRET_ARN>'

        # Create a Secrets Manager client
        client = boto3.client('secretsmanager')

        # Disable rotation for the secret
        response = client.update_secret(
            SecretId=secret_arn,
            RotationLambdaARN='',
            RotationRules={
                'AutomaticallyAfterDays': None
            }
        )

        print(response)
        ```

        4. Repeat step 3 for each identified secret with rotation enabled.

        5. Verify that rotation is now disabled for each secret by checking their configuration in the AWS Management Console or using the Boto3 SDK.

        Note: Disabling rotation for a secret means that it will no longer automatically rotate its credentials. You may need to manually rotate the credentials periodically to maintain security.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)
