More Info:

Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). Secrets Manager rotation is the automatic process that periodically change your secrets data to make it more difficult for an attacker to access the services and resources secured with these secrets. With Amazon Secrets Manager you don’t have to manually change the secret and update it on all of your clients. Instead, the Secrets Manager service uses an AWS Lambda function to perform for you all of the steps required for rotation, on a regular schedule (predefined or custom).

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS

Remediation

How to enable secret rotation in secrets manager

Using AWS Console

  1. Open the AWS Management Console and navigate to the Secrets Manager service.
  2. Select the secret you want to enable rotation for and click on the “Edit rotation” button. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “Secret Manager Secrets Rotation Enabled” Policy.)
  3. Select the “Enable automatic rotation” option and choose the rotation frequency.
  4. Choose the Lambda function that will be used to rotate the secret. You can either choose an existing function or create a new one.
  5. Provide the necessary permissions to the Lambda function to access the secret and rotate it.
  6. Configure the rotation settings such as the number of days before the rotation starts and the number of days before the old secret is deleted.
  7. Review and confirm the rotation settings and click on the “Save” button.

Additional Reading: