Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). Secrets Manager rotation is the automatic process that periodically change your secrets data to make it more difficult for an attacker to access the services and resources secured with these secrets. With Amazon Secrets Manager you don't have to manually change the secret and update it on all of your clients. Instead, the Secrets Manager service uses an AWS Lambda function to perform for you all of the steps required for rotation, on a regular schedule (predefined or custom).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Automatically rotating your Amazon Secrets Manager secrets can significantly reduce the chances that a compromised set of credentials can be utilized without your knowledge to access services and resources (AWS-based or third-party) that you use for your applications.
To determine if automatic rotation is enabled for your AWS Secrets Manager secrets, perform the following actions:
Remediation / Resolution
To enable automatic rotation feature for your Amazon Secrets Manager secrets, perform the following actions:
- AWS Documentation
- AWS Secrets Manager FAQs
- What is AWS Key Management Service?
- Key Terms and Concepts for AWS Secrets Manager
- Rotating Your AWS Secrets Manager Secrets
- Enabling Rotation for an Amazon RDS Database Secret
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Secret Rotation Enabled
Risk level: Medium