Rule: Secrets Manager secrets should have automatic rotation enabled
Ensure secrets stored in Secrets Manager have automatic rotation enabled for enhanced security measures.
| Rule | Secrets Manager secrets should have automatic rotation enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Secrets Manager Automatic Rotation for GxP 21 CFR Part 11
Rule Description
To comply with the GxP 21 CFR Part 11 regulations, all secrets managed by AWS Secrets Manager should be set up with automatic rotation enabled. Automatic rotation ensures that secrets such as passwords, database credentials, and API keys are regularly changed to enhance security and protect sensitive data.
Enabling automatic rotation eliminates the need for manual intervention and reduces the risk of unauthorized access resulting from prolonged exposure of secrets.
Troubleshooting Steps (if applicable)
- 1.If automatic rotation is not enabled for Secrets Manager, secrets may become outdated and increase the vulnerability of your data. Ensure that automatic rotation is configured for all relevant secrets.
- 2.If automatic rotation fails to occur as expected, check the rotation settings and evaluate any error messages or logs related to the rotation process.
- 3.Make sure that the IAM role used for Secrets Manager rotation has the necessary permissions to perform the rotation tasks, including accessing and modifying the secret.
- 4.Verify that the target resources relying on the secret are correctly updated with the new credentials/values after each rotation.
Necessary Codes (if applicable)
In this case, there are no specific codes to provide as the rotation configuration details may vary based on your specific use case and technologies involved. Consult the AWS Secrets Manager documentation for implementation details for your specific environment.
Step-by-Step Guide for Remediation
1. Enable Automatic Rotation for Secrets
- 1.Go to the AWS Management Console.
- 2.Navigate to the Secrets Manager service.
- 3.Select the secret for which you want to enable automatic rotation.
- 4.Choose the "Rotate secret" tab.
- 5.Click "Edit rotation" in the "Rotation configuration" section.
- 6.Select the rotation type based on your requirements (e.g., AWS Lambda function, AWS RDS, etc.).
- 7.Provide the necessary configuration details for the chosen rotation type (e.g., Lambda function ARN, database instance details).
- 8.Set the rotation schedule frequency as per your organization's security policies.
- 9.Configure any additional settings, such as rotation lifecycle, if applicable.
- 10.Save the rotation configuration.
2. Validate Automatic Rotation
- 1.Monitor the rotation process for the enabled secret by checking the rotation history in the Secrets Manager console.
- 2.Ensure that the rotation occurs as expected based on the configured rotation schedule.
- 3.Confirm that the target resources using the secret (e.g., databases, applications) are correctly updated with the new credentials/values after each rotation.
- 4.Validate that the secret remains accessible by the authorized entities after rotation.
3. Troubleshoot Rotation Issues (if applicable)
- 1.If automatic rotation fails, review the error messages and logs related to the rotation process.
- 2.Check IAM roles and their permissions associated with the rotation process to ensure they have the necessary access to perform rotation tasks.
- 3.Validate that the target resources are correctly set up to handle the updated credentials/values after rotation.
- 4.If necessary, consult the AWS Secrets Manager documentation or contact AWS support for further assistance.
Please note that the above steps are general guidelines, and specific steps may vary based on your organization's setup and chosen technologies. Always refer to relevant documentation and best practices provided by AWS to ensure compliance with GxP 21 CFR Part 11 regulations.