Secrets Manager Secrets Rotation Rule
Ensure secrets in Secrets Manager are rotated as per schedule to enhance security measures.
| Rule | Secrets Manager secrets should be rotated as per the rotation schedule |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
The rule states that Secrets Manager secrets should be rotated according to the rotation schedule specified in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 (NIST 800-53 R5). This ensures that secrets, such as passwords, API keys, and database credentials, are regularly updated to minimize the risk of unauthorized access or misuse.
Troubleshooting Steps (if applicable)
- 1.Verify if the Secrets Manager secret is configured with a rotation schedule.
- 2.Check if the rotation schedule aligns with the requirements specified in NIST 800-53 R5.
- 3.Ensure that the rotation process is being followed consistently.
- 4.Review any error messages or issues encountered during the rotation process.
- 5.Confirm that the updated secrets are properly propagated to the relevant systems and services.
Necessary Codes (if applicable)
No specific codes are provided for this rule. The implementation of the rule may vary based on the cloud service provider and Secrets Manager configuration being used.
Remediation Steps
- 1.Determine the rotation schedule required by NIST 800-53 R5.
- 2.Identify the Secrets Manager secret that needs to be rotated.
- 3.Review the current rotation configuration for the secret:
- Check the rotation schedule and verify if it matches the NIST 800-53 R5 requirements.
- Ensure that the secret is configured with the correct rotation Lambda function or rotation service.
- Validate the rotation function code for any potential errors.
- 4.If the rotation schedule does not comply with the NIST 800-53 R5 requirements, update the rotation configuration accordingly.
- 5.Ensure that the rotation process is being executed as scheduled:
- Check if the rotation Lambda function or rotation service is functioning correctly.
- Review any rotation logs or monitoring metrics to identify any rotation failures.
- Troubleshoot and address any issues preventing successful rotation.
- 6.Verify that the updated secrets are being properly propagated:
- Test the updated secret against the relevant systems and services to ensure they can authenticate and function correctly.
- Monitor the systems and services for any errors or issues related to the updated secrets.
- 7.Document the rotation activities and schedule regular audits to ensure compliance with NIST 800-53 R5.
- 8.Review any alerts or notifications related to secret rotation to promptly address any anomalies or failures.
Note: The specific CLI commands for remediation may vary depending on the cloud service provider and Secrets Manager implementation. It is recommended to refer to their documentation for the appropriate commands and configurations.