Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secret Rotation Interval

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecretsManager-003

Ensure that the rotation interval for your AWS Secrets Manager secrets is configured to meet security and compliance requirements. Prior to running this rule by the Cloud Conformity engine, the rotation interval (in days) must be configured in the rule settings, on your Cloud Conformity account dashboard. Amazon Secrets Manager rotation feature represents the automatic process that periodically change your secrets information to make it more difficult for attackers to access the services and resources secured with these secrets.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

By configuring your Amazon Secrets Manager secrets to use the right number of days between secrets rotation (also known as rotation interval), you fulfill the security and compliance requirements defined by your organization.

Note: This rule assumes that the automatic rotation feature is already enabled for your AWS Secrets Manager secrets. If automatic rotation is not currently enabled, follow the steps outlined in this conformity rule to enable the feature.

Audit

To determine if automatic rotation interval is configured correctly for your Amazon Secrets Manager secrets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Choose the Secrets Manager secret that you want to examine, then click on its name (link) to access the resource configuration details.

05 On the selected secret configuration page, in the Rotation configuration section, check the Rotation Interval configuration attribute value. If the attribute value (i.e. number of days between secret credentials rotation) is different than the one defined within the rule settings, on your Cloud Conformity account dashboard, the rotation interval configuration for the selected Amazon Secrets Manager secret is not compliant.

06 Repeat step no. 4 and 5 to check the rotation interval for other Secrets Manager secrets, available in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets available within the selected AWS region: 

aws secretsmanager list-secrets
	--region us-east-1
	--query 'SecretList[*].Name'

02 The command output should return the names of the secrets available within the region: 

[
    "cc-mysql-db-access-details",
    "cc-backend-api-access-keys"
]

03 Run describe-secret command (OSX/Linux/UNIX) using the name of the secret that you want to examine as identifier and custom query filters to return the interval (number of days) set for the automatic rotation feature, enabled for the selected AWS Secrets Manager secret: 

aws secretsmanager describe-secret
	--region us-east-1
	--secret-id cc-mysql-db-access-details
	--query 'RotationRules.AutomaticallyAfterDays'

04 The command output should return the rotation interval configured for the selected secret: 

90

If the value (i.e. number of days) returned by the describe-secret command output is different than the one defined within the rule settings, on your Cloud Conformity account dashboard, the rotation interval configuration for the selected Amazon Secrets Manager secret is not compliant.

05 Repeat steps no. 3 and 4 to verify the rotation interval for other Secrets Manager secrets, available within the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To configure the automatic rotation interval for your Amazon Secrets Manager secrets in order to meet the security and compliance requirements defined within your organization, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access AWS Secrets Manager Rotation Interval rule settings and copy the value configured for the AWS Secrets Manager rotation interval.

02 Sign in to AWS Management Console.

03 Navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.

04 In the navigation panel, select Secrets.

05 Choose the secret that you want to reconfigure (see Audit section part I to identify the right secret), then click on its name (link) to access the resource details.

06 On the selected secret configuration page, within Rotation configuration section, click Edit rotation to edit the rotation feature configuration.

07 Inside Edit rotation configuration dialog box, choose Custom from the Select rotation interval dropdown list and paste the value copied at step no. 1, representing the automatic rotation interval (days) defined within the conformity rule settings. Click Save to apply the changes. Once enabled, the Secrets Manager console should display the following confirmation message: "Your secret <secret-name> has been successfully stored and secret rotation is enabled".

08 Repeat steps no. 5 – 7 for each Secrets Manager secret that you want to reconfigure with the compliant rotation interval, available in the current AWS region.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access AWS Secrets Manager Rotation Interval rule settings and copy the value configured for the AWS Secrets Manager rotation interval.

02 Run rotate-secret command (OSX/Linux/UNIX) using the name of the Amazon Secrets Manager secret that you want to reconfigure as identifier (see Audit section part II to identify the right resource), the ARN of the AWS Lambda function that performs the rotation and the number of days between rotation, copied at step no. 1, as value for the AutomaticallyAfterDays parameter, to update the rotation feature configuration, and start the process of rotating the selected secret: 

aws secretsmanager rotate-secret
	--region us-east-1
	--secret-id cc-mysql-db-access-details
	--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManager-cc-secret-rotation-function
	--rotation-rules AutomaticallyAfterDays=14

03 The command output should return the request metadata: 

{
    "VersionId": "1234abcd-1234-abcd-1234-abcd1234abcd",
    "Name": "cc-mysql-db-access-details",
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-mysql-db-access-details-ABC123"
}

04 Repeat steps no. 1 – 3 for each Secrets Manager secret that you want to reconfigure with the compliant rotation interval, available in the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Dec 19, 2018

Related SecretsManager rules