Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Destruction Delay for Secret Versions

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecretManager-002

To ensure a secret version isn't immediately destroyed upon request, you can configure a delayed destruction policy for your Secret Manager secrets. This allows the secret to remain recoverable for a specified period. When a destruction delay is set, destroying a secret version will disable it immediately and schedule its final destruction after the configured duration has passed.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Reliability

Any user with administrative permissions can destroy a Secret Manager secret version. As this is an irreversible action, configuring a delayed destruction policy is strongly recommended to prevent immediate and accidental destruction of sensitive data. Setting a delayed destruction duration represents an extra layer of protection against accidental or malicious destruction of critical secret material.

Audit

To determine if a delayed destruction policy is configured for your Secret Manager secrets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to examine, listed in the Name column.

06 Select the OVERVIEW tab and check the Delay version destroy duration attribute value. If the Delay version destroy duration value is set to None, the selected Secret Manager secret is not configured with a delayed destruction duration.

07 Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run secrets list command (Windows/macOS/Linux) with the name of the Google Cloud project that you want to examine as the identifier parameter and custom output filters to describe the name of each Secret Manager secret created for the selected project: 

gcloud secrets list
	--project cc-project5-123123
	--format="value(name)"

04 The command output should return the names of the secrets available within the selected GCP project: 

cc-project5-api-key
cc-project5-db-access

05 Run secrets describe command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to examine as the identifier parameter and custom output filters to describe the destruction delay duration for the secret version(s): 

gcloud secrets describe cc-project5-api-key
	--format="value(versionDestroyTtl)"

06 The command output should return the requested destruction delay information: 

604800s

If the secrets describe command output does not return a destruction delay (in seconds) similar to the one returned in the output example above, the selected Secret Manager secret is not configured with a delayed destruction duration.

07 Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that a delayed destruction policy is configured for your Google Cloud Secret Manager secrets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to configure, listed in the Name column.

06 Choose EDIT SECRET from the resource top-menu to change the secret resource configuration.

07 In the Delay secret version destroy section, select the Set duration for delayed destruction checkbox, and provide a destruction delay duration (in days) to set up the delayed destruction policy for the selected Secret Manager secret.

08 Choose UPDATE SECRET to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each Secret Manager secret that you want to configure, available within the selected Google Cloud Platform (GCP) project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run secrets update command (Windows/macOS/Linux) to apply a delayed destruction policy for the specified Secret Manager secret. Use the --version-destroy-ttl parameter to set the destruction delay duration (in seconds) for the secret versions: 

gcloud secrets update cc-project5-api-key
	--version-destroy-ttl 604800s

02 The command output should return the name of the configured secret: 

Updated secret [cc-project5-api-key].

03 Repeat steps no. 1 and 2 for each Secret Manager secret that you want to configure, available in the selected Google Cloud Platform (GCP) project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Aug 8, 2025

Related SecretManager rules