Rule: Secrets Manager secrets should have automatic rotation enabled

Rule Description

Troubleshooting Steps

2. 1.

   Verify the Secret Rotation Requirements: Review the NIST Cybersecurity Framework (CSF) v1 specific requirements regarding automatic rotation to ensure that it is necessary for your secrets.

4. 2.

   Review Secrets Manager Configuration: Check the configuration of Secrets Manager for the specific secret in question. Ensure that the automatic rotation feature is not disabled or misconfigured.

6. 3.

   Check IAM Permissions: Verify that the IAM user or role used to configure and manage Secrets Manager has the necessary permissions to enable automatic rotation for secrets.

8. 4.

   Check Rotation Lambda Function: Ensure that a Lambda function responsible for rotating secrets is correctly configured and associated with the specified secret. Confirm that the Lambda function has the necessary IAM permissions to perform the rotation.

10. 5.

    Verify Secret Rotation Schedule: Check the rotation schedule to see if it is set adequately. Ensure that it aligns with your organization's security policies and complies with the NIST Cybersecurity Framework (CSF) v1 requirements.

Necessary Codes

2. 1.

   JSON Format for Secret in AWS Secrets Manager:

   {
       "Type" : "AWSSecretsManager::Secret",
       "Properties" : {
           "Name" : "example-secret",
           "Description" : "This is an example secret",
           "SecretString" : "{\"username\":\"admin\",\"password\":\"initial password\"}",
           "RotationLambdaARN" : "arn:aws:lambda:us-east-1:123456789012:function:example-rotation-function",
           "AutoRotateAfterDays" : "30"
       }
   }
   

   This code snippet demonstrates the required JSON format to create a secret in AWS Secrets Manager. Note the fields

   RotationLambdaARN

   and

   AutoRotateAfterDays

   , which are essential for enabling automatic rotation.

4. 2.

   Rotation Lambda Function (Python):

   import boto3
   
   def lambda_handler(event, context):
       secret_name = event['SecretId']
       # Implement secret rotation logic here
       # New secret value should be stored in 'NewSecretString'
       new_secret_value = "new_secret_value"
       
       client = boto3.client('secretsmanager')
       response = client.update_secret(
           SecretId=secret_name,
           SecretString=new_secret_value,
           RotationRules={
               'AutomaticallyAfterDays': 30
           }
       )
   

   This code snippet represents a basic Python implementation of a Lambda function responsible for rotating secrets. Customize the

   lambda_handler

   function according to your secret rotation requirements.

Step-by-Step Guide for Remediation

2. 1.

   Access AWS Secrets Manager Console: Log in to the AWS Management Console and navigate to the Secrets Manager service.

4. 2.

   Choose the Desired Secret: Select the secret for which you want to enable automatic rotation.

6. 3.

   Click on "Rotate Secret": In the secret details page, click on the "Rotate Secret" button to initiate the process of enabling automatic rotation.

8. 4.

   Configure Rotation Lambda Function: Specify the Lambda function ARN responsible for rotating the secret. Ensure that the function implements the necessary secret rotation logic.

10. 5.

    Set Rotation Schedule: Define the desired rotation schedule in days, adhering to your organization's security policies and the NIST Cybersecurity Framework (CSF) v1 requirements.

12. 6.

    Save the Configuration: After configuring the rotation settings, click on the "Save" button to enable automatic rotation for the secret.

14. 7.

    Verify Automatic Rotation: Monitor the secret's rotation status in the Secrets Manager console. Ensure that the Lambda function is executing successfully and rotating the secret within the defined schedule.