Detections
Analytics

Ensure secrets should be auto-rotated after not more than 90 days

HIGH

Description

Secrets, like passwords, should be rotated on a regular schedule. AWS Secrets Manager can be configured to automatically rotate secrets after a set period and 90 days has become a standard for that minimum. Ensuring this is set can help protect the security of every system using secrets within an organization's AWS environment.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the AWS Secrets Manager dashboard.
  2. In the navigation panel, select Secrets.
  3. Select the Secrets Manager secret.
  4. In the configuration page, in the Rotation configuration section, check the Rotation Interval configuration. Ensure it is less than 90 days.

In Terraform -

  1. In the aws_secretsmanager_secret_rotation resource, set 'rotation_rule.automatically_after_days' to 90 days or less.

References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation#automatically_after_days

Policy Details

Rule Reference ID: AC_AWS_0226
CSP: AWS
Remediation Available: Yes
Domain: Compliance Validation
Resource: aws_secretsmanager_secret_rotation
Resource Category: Management
Resource Type: Secrets Manager

Frameworks