Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secret Rotation Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecretsManager-002

Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). Secrets Manager rotation is the automatic process that periodically change your secrets data to make it more difficult for an attacker to access the services and resources secured with these secrets. With Amazon Secrets Manager you don't have to manually change the secret and update it on all of your clients. Instead, the Secrets Manager service uses an AWS Lambda function to perform for you all of the steps required for rotation, on a regular schedule (predefined or custom).

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Automatically rotating your Amazon Secrets Manager secrets can significantly reduce the chances that a compromised set of credentials can be utilized without your knowledge to access services and resources (AWS-based or third-party) that you use for your applications.


Audit

To determine if automatic rotation is enabled for your AWS Secrets Manager secrets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Choose the Secrets Manager secret that you want to examine, then click on its name (link) to access the resource configuration details.

05 On the selected secret configuration page, inside the Rotation configuration section, check the Rotation status configuration attribute value. If the attribute value is set to Disabled, the automatic rotation feature is not enabled for the selected Amazon Secrets Manager secret.

06 Repeat step no. 4 and 5 for each Secrets Manager secret available in the current AWS region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets available within the selected AWS region:

aws secretsmanager list-secrets
	--region us-east-1
	--query 'SecretList[*].Name'

02 The command output should return the names of the secrets available within the region:

[
    "cc-project5-db-credentials",
    "cc-backend-api-access-keys"
]

03 Run describe-secret command (OSX/Linux/UNIX) using the name of the secret that you want to examine as identifier and custom query filters to return the automatic rotation feature status for the selected AWS Secrets Manager secret:

aws secretsmanager describe-secret
	--region us-east-1
	--secret-id cc-project5-db-credentials
	--query 'RotationEnabled'  

04 The command output should return the requested feature status:

false

If the status value returned by the describe-secret command output is false, as shown in the example above, the automatic rotation feature is not currently enabled for the selected Amazon Secrets Manager secret.

05 Repeat steps no. 3 and 4 for each Secrets Manager secret available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable automatic rotation feature for your Amazon Secrets Manager secrets, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Secrets Manager service dashboard at https://console.aws.amazon.com/secretsmanager/.

03 In the navigation panel, select Secrets.

04 Choose the secret that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name (link) to access the secret configuration details.

05 On the selected secret configuration page, within Rotation configuration section, click Edit rotation to initiate the automatic rotation setup process.

06 Inside Edit rotation configuration dialog box, perform the following:

  1. Select Enable automatic rotation to enable the feature.
  2. Select a predefined (e.g. 30, 60, 90 days) or a custom value for the rotation interval from the Select rotation interval dropdown list.
  3. Select Create a new Lambda function to perform rotation option to create your own custom Lambda function for rotation or select Use an existing Lambda function to perform rotation to implement an AWS Lambda function that you have previously created for rotating this type of secret.
  4. Click Save to apply the changes. Once enabled, the Secrets Manager console should display the following confirmation message: "Your secret <secret-name> has been successfully stored and secret rotation is enabled".

07 Repeat steps no. 4 – 6 for each Secrets Manager secret that you want to reconfigure to use automatic rotation, available in the current AWS region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run rotate-secret command (OSX/Linux/UNIX) using the name of the Amazon Secrets Manager secret that you want to reconfigure as identifier (see Audit section part II to identify the right resource), the ARN of the AWS Lambda function that performs the rotation and the number of days between rotation, to enable and configure automatic rotation feature, and start the asynchronous process of rotating the selected secret:

aws secretsmanager rotate-secret
	--region us-east-1
	--secret-id cc-project5-db-credentials
	--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManager-cc-secret-rotation-function
	--rotation-rules AutomaticallyAfterDays=30

02 The command output should return the request metadata:

{
    "VersionId": "abcdabcd-1234-1234-1234-abcd1234abcd",
    "Name": "cc-project5-db-credentials",
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-project5-db-credentials-123ABC"
}

03 Repeat steps no. 1 and 2 for each Secrets Manager secret that you want to reconfigure to use automatic rotation, available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat the remediation/resolution process for other regions.

References

Publication date Dec 19, 2018