More Info:

Ensure that the rotation interval for your AWS Secrets Manager secrets is configured to meet security and compliance requirements. Prior to running this rule by the Cloud Conformity engine, the rotation interval (in days) must be configured in the rule settings, on your Cloud Conformity account dashboard. Amazon Secrets Manager rotation feature represents the automatic process that periodically change your secrets information to make it more difficult for attackers to access the services and resources secured with these secrets.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, PCIDSS, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the issue of Secrets Manager secrets not being rotated frequently in AWS using the AWS console, follow these steps:
  1. Open the AWS Secrets Manager console.
  2. Select the secret that needs to be rotated.
  3. Click on the “Rotation” tab.
  4. Click on the “Edit rotation” button.
  5. In the “Configure rotation” section, select the rotation frequency and the number of days to keep the previous version of the secret.
  6. Click on the “Enable rotation” checkbox.
  7. Choose the Lambda function or AWS Secrets Manager to rotate the secret.
  8. Click on the “Save changes” button.
By following these steps, the Secrets Manager secret will be automatically rotated according to the selected frequency, and the previous versions of the secret will be kept for the specified number of days.

To remediate the misconfiguration of Secrets Manager Secrets not being rotated frequently in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the secrets available in the Secrets Manager service: 
aws secretsmanager list-secrets
  1. Identify the secret that needs to be rotated frequently.
  2. Run the following command to rotate the secret: 
aws secretsmanager rotate-secret --secret-id <secret-id>
Note: Replace <secret-id> with the ID of the secret that needs to be rotated.
  1. After running the above command, the Secrets Manager service will create a new version of the secret and update the old version with a new password or other credentials.
  2. Update the applications or services that use the secret with the new credentials.
  3. Delete the old version of the secret using the following command: 
aws secretsmanager delete-secret --secret-id <secret-id> --force-delete-without-recovery
Note: Replace <secret-id> with the ID of the old version of the secret.
  1. Repeat the above steps periodically to ensure that secrets are rotated frequently. It is recommended to set up automated rotation using AWS Lambda or other automation tools.
To remediate the issue of Secrets Manager Secrets not being rotated frequently in AWS, you can use the following steps using Python:
  1. Import the Boto3 library for AWS:
import boto3
  1. Create an AWS Secrets Manager client:
client = boto3.client('secretsmanager')
  1. Get a list of all secrets in AWS Secrets Manager:
secrets = client.list_secrets()
  1. Loop through the list of secrets and check if each secret has been rotated within the last 30 days:
for secret in secrets['SecretList']:
    if 'RotationRules' in secret:
        rotation_days = secret['RotationRules']['AutomaticallyAfterDays']
        last_rotated_date = secret['LastRotatedDate']
        if (datetime.now() - last_rotated_date).days > rotation_days:
            # Secret has not been rotated within the last 30 days
            # Code to rotate the secret goes here
  1. If a secret has not been rotated within the last 30 days, use the rotate_secret function to rotate the secret:
client.rotate_secret(SecretId=secret['ARN'])
  1. Add logging and error handling to the script as needed.
  2. Schedule the script to run on a regular basis (e.g. daily) using AWS Lambda or a cron job.
By following these steps, you can ensure that all secrets in AWS Secrets Manager are rotated frequently, which helps to improve the security of your AWS environment.

Additional Reading: