Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™

Knowledge Base Data Source Credentials Use Secrets Manager with Rotation

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the AWS Secrets Manager secret holding the connection credentials for each Amazon Bedrock Knowledge Base SaaS data source (Salesforce, SharePoint, or Confluence) is configured with automatic rotation enabled. When you connect a Knowledge Base to an external SaaS service, Amazon Bedrock authenticates to that service using OAuth credentials that you must store in AWS Secrets Manager and reference through the "credentialsSecretArn" field of the data source connector configuration. Configuring automatic rotation on the referenced secret ensures that the stored credentials are periodically replaced by a Lambda rotation function, limiting the window during which a compromised credential remains valid.

Security

Amazon Bedrock Knowledge Base SaaS connectors store long-lived OAuth credentials that grant Amazon Bedrock access to integrated third-party services such as Salesforce, Microsoft SharePoint, and Confluence. An attacker who can retrieve and decrypt the connection secret can steal these credentials and impersonate the Knowledge Base against the connected SaaS service, and in the case of SharePoint the stolen credentials could enable lateral movement into the organization's Active Directory. Enabling automatic rotation on the AWS Secrets Manager secret ensures that the credentials are regularly and automatically replaced, dramatically shortening the useful lifetime of any credential that is leaked or stolen and reducing the blast radius of a compromise.


Audit

To determine if the credentials for your Amazon Bedrock Knowledge Base SaaS data sources are stored in AWS Secrets Manager with automatic rotation enabled, perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  3. In the main navigation panel, under Build, select Knowledge Bases to list all the Amazon Bedrock Knowledge Bases available in the selected AWS region.

  4. Click on the name (link) of the Knowledge Base that you want to examine.

  5. In the Data source section, check the Data source type of each configured data source. For each data source with the type Salesforce, SharePoint, or Confluence, click on the name (link) of the data source and note the AWS Secrets Manager secret referenced under Source (i.e. the secret that stores the connection credentials).

  6. Navigate to the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ and click on the name of the secret identified at the previous step.

  7. On the secret details page, in the Rotation section, check the Rotation status attribute value. If the Rotation status is set to Disabled, automatic rotation is not enabled for the credentials of the selected Knowledge Base data source, therefore the configuration is not compliant.

  8. Repeat steps no. 5 – 7 for each Salesforce, SharePoint, or Confluence data source configured for the selected Knowledge Base.

  9. Repeat steps no. 4 – 8 for each Amazon Bedrock Knowledge Base available in the selected AWS region.

  10. Change the AWS cloud region from the console navigation bar and repeat steps no. 3 – 9 for each region where you have deployed Amazon Bedrock Knowledge Bases.

Using AWS CLI

  1. Run list-knowledge-bases command (OSX/Linux/UNIX) with custom output filters to list the IDs of all Amazon Bedrock Knowledge Bases available in the selected AWS region:

    aws bedrock-agent list-knowledge-bases
    --region us-east-1
    --query 'knowledgeBaseSummaries[*].knowledgeBaseId'
    
  2. The command output should return an array with the requested Knowledge Base IDs:

    [
        "ABCD1234EF",
        "GHIJ5678KL"
    ]
    
  3. Run list-data-sources command (OSX/Linux/UNIX) using the ID of the Knowledge Base that you want to examine as the identifier parameter and custom output filters to list the IDs of all the data sources configured for the selected Knowledge Base:

    aws bedrock-agent list-data-sources
    --region us-east-1
    --knowledge-base-id ABCD1234EF
    --query 'dataSourceSummaries[*].dataSourceId'
    
  4. The command output should return an array with the requested data source IDs:

    [
        "MNOP9012QR"
    ]
    
  5. Run get-data-source command (OSX/Linux/UNIX) using the IDs of the Knowledge Base and the data source that you want to examine as identifier parameters and custom query filters to return the data source type and the AWS Secrets Manager secret ARN referenced by the SaaS connector configuration:

    aws bedrock-agent get-data-source
    --region us-east-1
    --knowledge-base-id ABCD1234EF
    --data-source-id MNOP9012QR
    --query 'dataSource.dataSourceConfiguration.{Type:type,SecretArn:[salesforceConfiguration.sourceConfiguration.credentialsSecretArn,sharePointConfiguration.sourceConfiguration.credentialsSecretArn,confluenceConfiguration.sourceConfiguration.credentialsSecretArn]|[?@]|[0]}'
    
  6. The command output should return the data source type and, for SaaS connectors, the ARN of the AWS Secrets Manager secret that stores the connection credentials:

    {
        "Type": "SHAREPOINT",
        "SecretArn": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-kb-sharepoint-creds-AbCdEf"
    }
    

    If the "Type" value is "SALESFORCE", "SHAREPOINT", or "CONFLUENCE", the data source authenticates to an external SaaS service using the credentials stored in the AWS Secrets Manager secret referenced by the "SecretArn" value.

  7. Run describe-secret command (OSX/Linux/UNIX) using the secret ARN returned at the previous step as the identifier parameter to determine whether automatic rotation is enabled for the connection credentials:

    aws secretsmanager describe-secret
    --region us-east-1
    --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-kb-sharepoint-creds-AbCdEf
    --query '{RotationEnabled:RotationEnabled,RotationRules:RotationRules}'
    
  8. The command output should return the rotation configuration for the selected secret:

    {
        "RotationEnabled": false,
        "RotationRules": null
    }
    

    If the "RotationEnabled" value is false or null (as shown in the example above), automatic rotation is not enabled for the credentials of the selected Knowledge Base data source, therefore the configuration is not compliant.

  9. Repeat steps no. 5 – 8 for each data source configured for the selected Knowledge Base, then repeat steps no. 3 – 8 for each Knowledge Base available in the selected region.

  10. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 9 for each region where you have deployed Amazon Bedrock Knowledge Bases.

Remediation / Resolution

To enable automatic rotation for the AWS Secrets Manager secret that stores the connection credentials of your Amazon Bedrock Knowledge Base SaaS data sources, perform the following operations:

Note: Rotation requires a Lambda function that updates both the Secrets Manager secret and the corresponding credentials in the connected SaaS application, while preserving the exact secret structure (key names) expected by the Amazon Bedrock connector.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  3. Click on the name of the secret that stores the credentials for the Knowledge Base data source that you want to reconfigure (see Audit section part I to identify the right resource).

  4. On the secret details page, in the Rotation section, choose Edit rotation.

  5. In the Edit rotation configuration dialog box, turn on Automatic rotation, then under Rotation schedule define the rotation interval (for example, a schedule expression or a number of days between rotations).

  6. Under Rotation function, select an existing AWS Lambda rotation function that updates the SaaS credentials, or choose to create a new one, then choose Save to enable automatic rotation for the selected secret.

  7. Repeat steps no. 3 – 6 for each AWS Secrets Manager secret that stores credentials for a Salesforce, SharePoint, or Confluence data source configured for your Amazon Bedrock Knowledge Bases.

Using AWS CLI

  1. Run rotate-secret command (OSX/Linux/UNIX) using the ARN of the secret that stores the Knowledge Base data source credentials as the identifier parameter (see Audit section part II to identify the right resource), the ARN of your Lambda rotation function, and the required rotation schedule, to enable automatic rotation for the selected secret:

    aws secretsmanager rotate-secret
    --region us-east-1
    --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-kb-sharepoint-creds-AbCdEf
    --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:cc-kb-saas-secret-rotation
    --rotation-rules '{"AutomaticallyAfterDays":30}'
    
  2. The command output should return the ARN, name, and version ID of the rotated secret:

    {
        "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-kb-sharepoint-creds-AbCdEf",
        "Name": "cc-kb-sharepoint-creds",
        "VersionId": "abcdabcd-1234-abcd-1234-abcd1234abcd"
    }
    
  3. Repeat step no. 1 for each AWS Secrets Manager secret that stores credentials for a Salesforce, SharePoint, or Confluence data source configured for your Amazon Bedrock Knowledge Bases.

References

Publication date Jul 10, 2026