This rule ensures that Secrets Manager secrets have automatic rotation enabled to enhance security measures.
Rule | Secrets Manager secrets should have automatic rotation enabled |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
Rule Description:
The Secrets Manager service in AWS provides a secure and scalable solution to manage secrets such as database credentials, API keys, and other sensitive information. The rule enforces the automatic rotation of secrets within Secrets Manager, which is recommended as per AWS Foundational Security Best Practices.
Troubleshooting Steps (if applicable):
If automatic rotation is not enabled for Secrets Manager secrets, follow these troubleshooting steps:
Necessary Codes (if applicable):
There are no specific codes provided for this rule. The rotation capability is configured through the Secrets Manager console or API.
Step-by-Step Guide for Remediation:
Follow these steps to enable automatic rotation for Secrets Manager secrets:
Open the AWS Management Console and navigate to the Secrets Manager service.
Identify the secret that needs automatic rotation and select it from the list.
In the secret's details page, click on the "Rotation" tab.
Click the "Edit rotation" button.
Select the "Enable automatic rotation" checkbox.
Choose the rotation schedule based on your requirements. You can select a predefined time-based rotation or create a custom Lambda rotation function.
Provide the necessary configuration details for the selected rotation option, such as Lambda function ARN, rotation period, and permissions.
Click "Save" to enable automatic rotation for the secret.
Validate the rotation by monitoring the "Rotation status" in the secret's details page.
Ensure that applications or services using the secret are updated with the newly rotated credentials.
By following these steps, you will have successfully enabled the automatic rotation of Secrets Manager secrets, aligning with AWS Foundational Security Best Practices.