AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Secrets Manager Should Be In Use
More Info:
Ensure that Amazon Secrets Manager service is used in your AWS account to manage access credentials (i.e. secrets) such as API keys, OAuth tokens and database credentials. For example, you can use AWS Secrets Manager to handle database credentials to meet security and compliance requirements in your organization. Secrets Manager provides built-in integrations for MySQL, PostgreSQL and Aurora on Amazon Relational Database Service (RDS), and can rotate, manage and retrieve credentials for these database types natively.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Secrets Manager Should Be In Use” misconfiguration in AWS using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Navigate to the AWS Secrets Manager service.
- Click on the “Create secret” button.
- Select the type of secret you want to create (such as “Other type of secrets”).
- Enter the details for the secret, such as the secret name and the secret value.
- Click on the “Next” button.
- Configure the rotation settings for the secret, if applicable.
- Click on the “Next” button.
- Review the details of the secret.
- Click on the “Store” button to create the secret.
Once you have created the secret in AWS Secrets Manager, you can use it in your applications and services to securely store and retrieve sensitive information. Make sure to update your applications and services to use the new secret, and delete any other instances of the sensitive information that may have been stored elsewhere.
To remediate the issue of not using Secrets Manager in AWS, you can follow the below steps using AWS CLI:
-
First, create a new Secrets Manager secret for the sensitive data that needs to be stored securely.
-
Then, update the application code to retrieve the sensitive data from Secrets Manager instead of being hardcoded in the code.
-
Next, remove any sensitive data that is currently stored in environment variables or configuration files.
-
Finally, update the IAM policies to grant the necessary permissions to access the Secrets Manager secret.
To create a new Secrets Manager secret using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to create a new secret:
aws secretsmanager create-secret --name my-secret --secret-string "my-secret-value"
-
Replace
my-secretwith the name of the secret you want to create, andmy-secret-valuewith the value of the secret. You can also use the--secret-fileoption to specify a file containing the secret value. -
Once the secret is created, you can update the application code to retrieve the secret value from Secrets Manager.
-
To remove any sensitive data that is currently stored in environment variables or configuration files, review the code and remove any references to the sensitive data.
-
Finally, update the IAM policies to grant the necessary permissions to access the Secrets Manager secret. You can use the
aws secretsmanager get-secret-valuecommand to retrieve the secret value, so the IAM policy should include thesecretsmanager:GetSecretValueaction for the relevant resource.
To remediate the misconfiguration “Secrets Manager Should Be In Use” for AWS using Python, you can follow these steps:
-
First, ensure that you have the necessary AWS SDK for Python (Boto3) installed on your system.
-
Next, you can use the Boto3 SDK to create a Secrets Manager resource in your AWS account. You can do this by creating a new Secrets Manager client object and using the create_secret method to create a new secret.
Here’s some sample Python code that demonstrates how to create a new secret using Boto3:
import boto3
# Create a new Secrets Manager client
client = boto3.client('secretsmanager')
# Create a new secret
response = client.create_secret(
Name='my-secret',
SecretString='{"username":"my-username", "password":"my-password"}'
)
# Print the ARN of the new secret
print(response['ARN'])
In this example, we’re creating a new secret named “my-secret” with a username and password stored as a JSON string in the SecretString field.
- Once you’ve created your new secret, you can update your application or infrastructure to use the Secrets Manager client to retrieve the secret values at runtime. This will ensure that your secrets are securely stored and managed by AWS.
Here’s some sample Python code that demonstrates how to retrieve a secret using Boto3:
import boto3
# Create a new Secrets Manager client
client = boto3.client('secretsmanager')
# Retrieve the secret value
response = client.get_secret_value(
SecretId='my-secret'
)
# Print the secret value
print(response['SecretString'])
In this example, we’re retrieving the value of the “my-secret” secret and printing it to the console.
By following these steps, you can remediate the misconfiguration “Secrets Manager Should Be In Use” for AWS using Python and ensure that your secrets are securely managed by AWS.