Rule: Secrets Manager secrets should be rotated as per the rotation schedule
Ensure Secrets Manager secrets are rotated as scheduled to maintain security compliance.
| Rule | Secrets Manager secrets should be rotated as per the rotation schedule |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Critical |
Rule Description
The rule states that Secrets Manager secrets should be rotated according to the rotation schedule defined for GxP 21 CFR Part 11 compliance. GxP refers to a set of regulations and guidances that ensure the quality and integrity of electronic records and signatures in industries such as pharmaceutical, biotechnology, and medical devices. The specific regulation, 21 CFR Part 11, sets requirements for electronic records and signatures to be considered trustworthy, reliable, and equivalent to paper records.
Secrets Manager is a service provided by AWS (Amazon Web Services) that helps you protect access to applications, services, and IT resources by securely storing secrets such as database passwords, API keys, and OAuth tokens. Rotating secrets regularly is a crucial security practice that helps minimize the risk of unauthorized access to sensitive information.
Troubleshooting Steps (if applicable)
If there are issues related to secret rotation compliance, the following troubleshooting steps can be followed:
- 1.
Identify the rotation schedule: Ensure that you have a clear understanding of the rotation schedule defined for GxP 21 CFR Part 11 compliance. This schedule should specify the frequency and requirements for secret rotation.
- 2.
Check secret rotation settings: Verify the current rotation settings for each relevant secret in the Secrets Manager. Ensure that the rotation schedule aligns with the defined compliance requirements.
- 3.
Evaluate secret age: Determine the age of each secret to ensure they are rotated within the specified time frame. If any secret exceeds the defined rotation period, it needs to be rotated immediately.
- 4.
Review access logs: Analyze the access logs or audit trails related to secret access and usage. Look for any unauthorized or suspicious activity that may indicate a breach or compromised secrets.
- 5.
Perform a risk assessment: Conduct a risk assessment to evaluate the potential impact of compromised secrets and prioritize the rotation process accordingly. High-risk secrets should be rotated with higher priority.
- 6.
Implement secret rotation: Follow the AWS documentation to implement secret rotation for Secrets Manager. Use the appropriate code or configurations as per your application or infrastructure setup.
Remediation Steps
If any secrets are found to be non-compliant with the rotation schedule for GxP 21 CFR Part 11, the following steps should be taken to remediate the issue:
- 1.
Identify the affected secrets: Determine which secrets need to be rotated immediately based on their age or non-compliance with the rotation schedule.
- 2.
Generate new secrets: For each affected secret, generate new credentials or sensitive information that need to be stored securely.
- 3.
Update secret details in Secrets Manager: Update the Secrets Manager with the newly generated secret details, ensuring that the secret is correctly associated with the relevant application, service, or resource.
- 4.
Update application or infrastructure configuration: If necessary, update the application or infrastructure configurations to reflect the changes in the secrets. This may involve updating environment variables, configuration files, or other relevant settings.
- 5.
Verify access and functionality: Test the updated secrets by ensuring that the associated applications, services, or resources can still access the required credentials and function as expected.
- 6.
Delete old secrets: Once the new secrets are successfully implemented and verified, securely delete or retire the old secrets to minimize the risk of unauthorized access.
AWS CLI Commands (if applicable)
If you are using the AWS Command Line Interface (CLI) to manage Secrets Manager, the following commands could be useful for implementing secret rotation:
- 1.Create Secret:
aws secretsmanager create-secret --name <secret-name> --secret-string "<secret-value>"
This command creates a new secret with the specified name and secret value.
- 1.Update Secret:
aws secretsmanager update-secret --secret-id <secret-id> --secret-string "<new-secret-value>"
This command updates an existing secret with the new secret value.
- 1.Rotate Secret:
aws secretsmanager rotate-secret --secret-id <secret-id>
This command initiates the rotation process for the specified secret. Ensure that you have implemented the necessary rotation scripts or Lambda functions to perform the actual rotation logic.
Note: Replace
<secret-name><secret-value><secret-id>Remember to consult the official AWS CLI documentation for Secrets Manager for detailed examples and additional options specific to your setup.