Rule: Secrets Manager secrets should have automatic rotation enabled
Ensure automatic rotation is enabled for Secrets Manager secrets to enhance security.
| Rule | Secrets Manager secrets should have automatic rotation enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description
This rule enforces the automatic rotation of secrets in AWS Secrets Manager for CISA Cyber Essentials compliance. Automatic rotation helps to enhance the security of sensitive information by regularly changing the credentials used to access the protected resources.
Troubleshooting Steps
If there are any issues with enabling automatic rotation for Secrets Manager secrets, you can follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role accessing Secrets Manager has the necessary permissions to enable automatic rotation. The required IAM policy should include "secretsmanager:RotateSecret" action.
- 2.
Check Secrets Manager Access: Ensure that the user or role has access to the specific secret you are trying to enable rotation for. Verify the access policy attached to the secret and make sure the user or role is included.
- 3.
Secret Rotation Lambda Function: Verify that the Lambda function responsible for rotation is correctly configured. Ensure that the Lambda function has the appropriate permissions, including "secretsmanager:GetSecretValue" and "secretsmanager:PutSecretValue" actions. Additionally, check that the Lambda function is triggered by the rotation schedule.
- 4.
Check Rotation Schedule: Ensure that the rotation schedule is set up correctly. Verify that the rotation interval is aligned with your organizational requirements and the CISA Cyber Essentials compliance guidelines.
- 5.
Review Lambda Logs: If any issues persist, review the logs generated by the rotation Lambda function. The logs may provide insights into any errors or exceptions encountered during the rotation process.
Necessary Code
To enable automatic rotation for a secret in Secrets Manager, you can use the AWS Command Line Interface (CLI) with the following command:
aws secretsmanager rotate-secret --secret-id <secret-id>
Replace
<secret-id>Step-by-Step Remediation Guide
To enable automatic rotation for a secret in AWS Secrets Manager, follow these steps:
- 1.
Login to AWS Management Console: Access the AWS Management Console using appropriate credentials.
- 2.
Navigate to Secrets Manager: Go to the AWS Secrets Manager service page by searching for "Secrets Manager" in the search bar or locating it under the "Security, Identity & Compliance" section.
- 3.
Select the Secret: From the list of secrets, select the secret for which you want to enable automatic rotation.
- 4.
Enable Automatic Rotation: In the secret details page, scroll down to the "Secret rotation" section and click on the "Edit rotation" button.
- 5.
Configure Rotation: In the "Configure rotation" dialog, select the "Enable automatic rotation" option.
- 6.
Set Rotation Schedule: Specify the rotation interval for the secret. Ensure that the rotation schedule aligns with your compliance requirements, such as the CISA Cyber Essentials guidelines.
- 7.
Configure Rotation Lambda ARN: Provide the Amazon Resource Name (ARN) of the Lambda function responsible for secret rotation. This Lambda function must be configured beforehand and have the necessary permissions.
- 8.
Save Configuration: Click on the "Save" button to enable automatic rotation for the secret.
Once enabled, Secrets Manager will automatically rotate the secret based on the defined schedule using the specified Lambda function.
Additional Notes
Automatic rotation is a crucial security measure and helps to minimize the risk associated with using long-lived secrets.
It is recommended to regularly monitor the rotation logs and perform any necessary checks to ensure successful rotation.
Consider creating CloudWatch Alarms or EventBridge rules to receive notifications or trigger actions upon rotation failures or other critical events.