Ensure that Amazon Secrets Manager service is used in your AWS account to manage access credentials (i.e. secrets) such as API keys, OAuth tokens and database credentials. For example, you can use AWS Secrets Manager to handle database credentials to meet security and compliance requirements in your organization. Secrets Manager provides built-in integrations for MySQL, PostgreSQL and Aurora on Amazon Relational Database Service (RDS), and can rotate, manage and retrieve credentials for these database types natively.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon Secrets Manager helps you protect sensitive information needed to access your cloud applications, services and resources. Users and applications can use this service to retrieve secrets with a call to Secrets Manager API, enhancing access security by eliminating the need to hard code credentials in plain text. The main benefits of using AWS Secrets Manager are: secure and automatic rotation of secrets – you can rotate secrets safely, on a regular schedule, without the need for code deployments, secret access management with IAM policies – you can manage access to secrets using fine-grained AWS IAM policies, encryption of secrets – you can secure secrets by encrypting them with AWS KMS Customer Master Keys, and last but not least, pay as you go pricing.
Audit
To determine if AWS Secrets Manager service is used in your AWS account, perform the following actions:
Remediation / Resolution
In order to utilize AWS Secrets Manager service to manage database access credentials and/or sensitive information such as API keys or authentication tokens, you must create and configure secrets. To create your own Secrets Manager secret, perform the following action:
Note: As example, this conformity rule demonstrates how to use AWS Secrets Manager service to create secrets that store and manage Amazon RDS database access credentials.References
- AWS Documentation
- AWS Secrets Manager
- AWS Secrets Manager FAQs
- Key Terms and Concepts for AWS Secrets Manager
- AWS Secrets Manager Best Practices
- AWS Command Line Interface (CLI) Documentation
- secretsmanager
- list-secrets
- create-secret