Skip to main content

πŸ›‘οΈ AWS Secrets Manager Secret Automatic Rotation is not enabled🟒

  • Contextual name: πŸ›‘οΈ Secret Automatic Rotation is not enabled🟒
  • ID: /ce/ca/aws/secrets-manager/secret-automatic-rotation
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

Static, long-lived credentials pose a significant security risk if compromised. Enabling automatic rotation limits credential lifespan, reducing the window of opportunity for unauthorized access. Implementing this policy helps automate credential lifecycle management, strengthens your overall security posture, and minimizes the operational burden associated with manual secret rotation.

Rationale​

Long-lived, static credentials increase the risk of unauthorized access if they are compromised. Automatic rotation limits the lifespan of a credential, significantly reducing the window of opportunity for an attacker to use it. By enforcing this policy, you can automate a crucial part of your credential lifecycle management, improve your security posture, and reduce the operational overhead of manual rotation.

Audit​

This policy flags an AWS Secrets Manager Secret as INCOMPLIANT if the Rotation Enabled checkbox is set to false.

Remediation​

Open File

Remediation​

Steps​

  1. Write the rotation function code.
  2. Create a Lambda function using that code.
  3. Set up appropriate network access and permissions.
  4. Configure the secret for rotation.
Prerequisite (Database Secrets Only): Choose a Rotation Strategy​

AWS Secrets Manager supports two rotation strategies:

  • Option 1: Single User Strategy

    • Use a single user for rotation. You can proceed directly to Step 1.

  • Option 2: Alternating Users Strategy

    • Create a separate secret containing superuser credentials.
    • Add the ARN of the superuser secret to the original secret’s JSON structure.
    • Note: Amazon RDS Proxy does not support the alternating users strategy.

For more information, see Lambda Function Rotation Strategies.

Step 1: Write the Rotation Function Code​

A rotation function is an AWS Lambda function that Secrets Manager invokes to rotate your secret.

AWS provides pre-built templates for Amazon RDS, Amazon Aurora, Amazon Redshift, and Amazon DocumentDB in Rotation function templates.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC02-BP03 Store and use secrets securely1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control13no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.4 Change user passwords/passphrases at least once every 90 days.3no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.3no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.2no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.3no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.114no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.2no data