Secrets Manager secrets should be rotated within a specified number of days
Severity: Medium
Resource Types: AWS::SecretsManager::Secret
Description
This control checks whether your secrets have been rotated at least once within 90 days.
Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.
As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.
You can configure your secrets for automatic rotation in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.
Security Hub recommends that you enable rotation for your Secrets Manager secrets. To learn more about rotation, see Rotating your AWS Secrets Manager secrets.
Remediation
You can enable automatic secret rotation in the Secrets Manager console.
To enable secret rotation
- Open the Secrets Manager console.
- To locate the secret, enter the secret name in the search box.
- Choose the secret to display.
- Under
Rotation configuration
, chooseEdit rotation
. - From
Edit rotation configuration
, chooseEnable automatic rotation
. - From
Select Rotation Interval
, choose the rotation interval. - Choose a Lambda function to use for rotation.
- Choose
Next
. - After you configure the secret for automatic rotation, under
Rotation Configuration
, chooseRotate secret immediately
.