Ensure rotation of Secrets Manager secrets within specific days.
Rule | Secrets Manager secrets should be rotated within specific number of days. |
Framework | CISA-cyber-essentials |
Severity | ✔ High |
CISA Cyber Essentials - Secrets Manager Rotation Policy
Description
The CISA Cyber Essentials framework recommends that secrets managed by AWS Secrets Manager should be rotated within a specific number of days. Secrets Manager is a service provided by AWS that helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure.
Rotating secrets at regular intervals helps mitigate the risk of unauthorized access and reduces the impact of potential security breaches. By adhering to this policy, you ensure that your secrets are regularly updated to minimize the window of opportunity for an attacker to exploit them.
Troubleshooting Steps
If you encounter any issues while implementing or adhering to the Secrets Manager rotation policy, you can follow these troubleshooting steps:
Check for permissions: Ensure that the IAM user or role you are using to interact with Secrets Manager has the necessary permissions to perform rotation operations. The user or role should have
secretsmanager:RotateSecret
permission.Verify secret properties: Make sure the secret you are attempting to rotate meets the requirements set by Secrets Manager. Ensure that its rotation configuration is correctly set up, including the rotation Lambda function, rotation frequency, and rotation rules.
Review Lambda function: If you have set up a Lambda function to perform the secret rotation, check the function code and configuration to ensure it is working correctly. Review any error logs or CloudWatch events associated with the Lambda function.
Inspect access policies: Check if there are any restrictive access policies or security group rules that might be blocking the rotation process. Ensure that the necessary permissions are granted to the Lambda function or other services involved in the rotation process.
Test secret rotation: If possible, initiate a test rotation to validate that the rotation process is functioning as expected. Monitor the progress and check for any error messages or unexpected behavior during the rotation.
Seek AWS support: If you exhaust all troubleshooting steps and cannot resolve the issue, consider reaching out to AWS support for further assistance. Provide them with relevant details, error messages, and steps you have taken so far.
Necessary Codes
In order to implement this policy, you can use the AWS CLI to update the rotation configuration of the specific secret. Below is an example command:
aws secretsmanager rotate-secret --secret-id <secret-id>
Replace
<secret-id>
with the identifier of the secrets manager secret you want to rotate.Step-by-Step Guide for Remediation
Follow these steps to adhere to the Secrets Manager secrets rotation policy:
Identify the secret: Determine which secret(s) you need to rotate as specified by the policy.
Check existing rotation configuration: Verify the current rotation configuration for the secret using the AWS Management Console, AWS CLI, or AWS SDKs. Validate the rotation frequency and any rotation rules defined for the secret.
Update rotation settings: If necessary, update the rotation configuration to align with the policy requirements. Use the AWS Management Console, AWS CLI, or AWS SDKs to modify the rotation frequency and rules.
Test the rotation process: Manually trigger a test rotation for the secret to ensure that the rotation process is functioning correctly. Monitor the rotation progress and verify that the secret is successfully rotated without any errors.
Validate rotation schedule: Regularly check the rotation status of the secret to ensure that it is being rotated at the specified frequency. Use the AWS Management Console, AWS CLI, or AWS SDKs to view the rotation history and confirm that the rotations are occurring within the expected timeframe.
Monitor rotation logs: Monitor the logs and events associated with the secret rotation process. This helps identify any issues or errors that may occur during rotation and allows for prompt remediation.
Review and address rotation failures: If any secret rotation fails, investigate the cause and take appropriate action to remediate the issue. This may involve debugging the rotation Lambda function, validating permissions, or reviewing error logs.
Regularly review and update: Periodically review and update the rotation configuration and rotation rules for each secret based on changing requirements or best practices.
By following these steps, you can ensure that secrets managed by AWS Secrets Manager are rotated within the specified number of days as recommended by the CISA Cyber Essentials framework.