Secret rotation remediation

Using Console

Using CLI

The AWS Secret Manager is a service that enables you to store and manage secrets such as database credentials, API keys, and other sensitive data. One of the key features of Secret Manager is the ability to rotate secrets automatically, which helps to prevent unauthorized access to sensitive data.If the misconfiguration is “Secret Manager Secrets Rotation Enabled”, it means that secrets rotation is not enabled for the AWS Secret Manager. To remediate this misconfiguration, you can follow these steps using the AWS CLI:Step 1: List all the secrets in the Secret Manager

aws secretsmanager list-secrets

Step 2: Enable rotation for each secret

aws secretsmanager rotate-secret --secret-id <SECRET_ID> --rotation-rules '{"AutomaticallyAfterDays": 30}'

Note: Replace <SECRET_ID> with the actual ID of the secret.Step 3: Verify that rotation is enabled for the secret

aws secretsmanager describe-secret --secret-id <SECRET_ID>

This command should return the details of the secret, including the rotation configuration.Step 4: Repeat steps 2 and 3 for all the secrets in the Secret ManagerEnabling secret rotation is an important security best practice, and it helps to ensure that sensitive data is protected from unauthorized access.

Using Python

To remediate the “Secrets Manager Secrets Rotation Enabled” misconfiguration in AWS using Python, follow these steps:

Open the AWS Management Console and navigate to the AWS Secrets Manager service.
Identify the secret(s) that have rotation enabled and note their ARN(s).
Use the AWS SDK for Python (Boto3) to disable rotation for each identified secret. Here’s an example code snippet:

import boto3

# Replace <SECRET_ARN> with the ARN of the secret to remediate
secret_arn = '<SECRET_ARN>'

# Create a Secrets Manager client
client = boto3.client('secretsmanager')

# Disable rotation for the secret
response = client.update_secret(
    SecretId=secret_arn,
    RotationLambdaARN='',
    RotationRules={
        'AutomaticallyAfterDays': None
    }
)

print(response)

Repeat step 3 for each identified secret with rotation enabled.
Verify that rotation is now disabled for each secret by checking their configuration in the AWS Management Console or using the Boto3 SDK.

Note: Disabling rotation for a secret means that it will no longer automatically rotate its credentials. You may need to manually rotate the credentials periodically to maintain security.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Secret rotation remediation

Triage and Remediation

Remediation