Rule: Secrets Manager secrets should have automatic rotation enabled
Ensure Secrets Manager secrets have automatic rotation enabled to enhance security measures.
| Rule | Secrets Manager secrets should have automatic rotation enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
The rule requires that Secrets Manager secrets utilized in compliance with GxP (Good Practices) and 21 CFR Part 11 have automatic rotation enabled. This ensures that secrets, such as passwords and API keys, are regularly changed to mitigate the risks associated with unauthorized access or compromise.
Troubleshooting Steps:
If automatic rotation is not enabled for Secrets Manager secrets, the following troubleshooting steps can be followed:
- 1.
Verify the Secret Configuration: Check the configuration details of the secret in Secrets Manager to ensure that automatic rotation is enabled. This can be done by navigating to the Secrets Manager service in your cloud provider's console and locating the specific secret.
- 2.
Check Rotation Settings: Verify the rotation settings for the secret. Make sure that the rotation interval is set appropriately and aligns with the defined compliance requirements. Additionally, ensure that the rotation function is correctly configured and associated with the relevant resources.
- 3.
Review Error Messages: If automatic rotation is not working as expected, review any error messages or logs associated with the rotation process. Look for any specific error codes or descriptions that may help identify the issue.
- 4.
Validate IAM Permissions: Ensure that the AWS Identity and Access Management (IAM) roles and policies associated with Secrets Manager have the necessary permissions to perform automatic rotation. Check for any misconfigurations or missing permissions that could be causing the issue.
Necessary Codes:
In most cases, enabling automatic rotation for Secrets Manager secrets requires configuring and associating a Lambda function. Below are the typical codes used in such a scenario:
- 1.Create a Lambda Function:
import boto3
def lambda_handler(event, context):
# Add logic for secret rotation here
# Retrieve, update, and rotate the secret as needed
# Validate the new secret and store it securely
# Update other relevant configurations as required
pass
- 1.Associate the Lambda Function with Secret Rotation:
aws secretsmanager rotate-secret --secret-id MySecret --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:MySecretRotationFunction
Note: The above code snippets are generic and should be customized based on your specific use case and programming language.
Step-by-Step Guide for Remediation:
To enable automatic rotation for Secrets Manager secrets used in compliance with GxP 21 CFR Part 11, follow these steps:
- 1.
Identify the Secret: Determine the specific secret that requires automatic rotation. It should contain sensitive information such as passwords, API keys, or database credentials.
- 2.
Create a Rotation Lambda Function: Develop or modify a Lambda function that can automate the rotation process for the identified secret. Ensure the function code adheres to the necessary security and compliance standards.
- 3.
Configure IAM Permissions: Ensure that the Lambda function has the required IAM permissions to access the secret, retrieve and rotate the secret value, and update relevant configurations. Review the Secrets Manager and Lambda function IAM policies to add any missing permissions.
- 4.
Associate the Lambda Function with the Secret: Use the AWS CLI or the cloud provider's console to associate the Lambda function with the secret. This enables Secrets Manager to trigger the rotation process based on the defined rotation interval.
- 5.
Test the Rotation Process: Simulate a secret rotation to verify that the Lambda function is correctly configured. Monitor the rotation process and check for any errors or unexpected behavior. Validate that the new secret is properly generated and securely stored.
- 6.
Monitor and Maintain: Regularly review the secret rotation logs and monitor the overall health of the rotation mechanism. Address any error messages or issues promptly to ensure continuous compliance with GxP 21 CFR Part 11.
By following these steps, automatic rotation can be enabled for Secrets Manager secrets, meeting the requirements for GxP and 21 CFR Part 11 compliance.