Secrets Manager Secrets Should Be Rotated Frequently

More Info:

Ensure that the rotation interval for your AWS Secrets Manager secrets is configured to meet security and compliance requirements. Prior to running this rule by the Cloud Conformity engine, the rotation interval (in days) must be configured in the rule settings, on your Cloud Conformity account dashboard. Amazon Secrets Manager rotation feature represents the automatic process that periodically change your secrets information to make it more difficult for attackers to access the services and resources secured with these secrets.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, PCIDSS, ISO27001

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of Secrets Manager Secrets not being rotated frequently in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all the secrets available in the Secrets Manager service:

aws secretsmanager list-secrets

Identify the secret that needs to be rotated frequently.
Run the following command to rotate the secret:

aws secretsmanager rotate-secret --secret-id <secret-id>

Note: Replace <secret-id> with the ID of the secret that needs to be rotated.

After running the above command, the Secrets Manager service will create a new version of the secret and update the old version with a new password or other credentials.
Update the applications or services that use the secret with the new credentials.
Delete the old version of the secret using the following command:

aws secretsmanager delete-secret --secret-id <secret-id> --force-delete-without-recovery

Note: Replace <secret-id> with the ID of the old version of the secret.

Repeat the above steps periodically to ensure that secrets are rotated frequently. It is recommended to set up automated rotation using AWS Lambda or other automation tools.

Using Python

To remediate the issue of Secrets Manager Secrets not being rotated frequently in AWS, you can use the following steps using Python:

Import the Boto3 library for AWS:

import boto3

Create an AWS Secrets Manager client:

client = boto3.client('secretsmanager')

Get a list of all secrets in AWS Secrets Manager:

secrets = client.list_secrets()

Loop through the list of secrets and check if each secret has been rotated within the last 30 days:

for secret in secrets['SecretList']:
    if 'RotationRules' in secret:
        rotation_days = secret['RotationRules']['AutomaticallyAfterDays']
        last_rotated_date = secret['LastRotatedDate']
        if (datetime.now() - last_rotated_date).days > rotation_days:
            # Secret has not been rotated within the last 30 days
            # Code to rotate the secret goes here

If a secret has not been rotated within the last 30 days, use the rotate_secret function to rotate the secret:

client.rotate_secret(SecretId=secret['ARN'])

Add logging and error handling to the script as needed.
Schedule the script to run on a regular basis (e.g. daily) using AWS Lambda or a cron job.

By following these steps, you can ensure that all secrets in AWS Secrets Manager are rotated frequently, which helps to improve the security of your AWS environment.

Additional Reading:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Secrets Manager Secrets Should Be Rotated Frequently

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: