🛡️ AWS Secrets Manager Secret has not been rotated within the last 90 days🟢

Contextual name: 🛡️ Secret has not been rotated within the last 90 days🟢
ID: /ce/ca/aws/secrets-manager/secret-rotated-within-90-days
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS Secrets Manager Secret
- 🔌 AWS Secrets Manager Secret - object.extracts.yaml
- 🔌 AWS Secrets Manager Secret Version - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

Description

Description

This policy identifies AWS Secrets Manager secrets whose current secret value has not been rotated within the last 90 days.

Rationale

Secrets stored in AWS Secrets Manager often protect database credentials, API keys, tokens, and other sensitive values. If a secret remains unchanged for long periods, any compromised credential can stay valid long enough to be reused by an attacker.

Regular rotation reduces this exposure window and supports stronger credential lifecycle management.

Impact

Rotating a secret can interrupt dependent applications, functions, or services if they are not prepared to consume the new value. Validate the rotation workflow and downstream integrations before rotating a production secret or enabling automatic rotation.

Audit

This policy excludes secrets that have automatic rotation enabled. For the remaining secrets, it evaluates the AWSCURRENT secret version when version records are available. It flags an AWS Secrets Manager Secret as INCOMPLIANT when either of the following conditions is met:

... see more

Remediation

Open File

Remediation

Rotate the Secret

From Command Line
Rotate the secret by updating its value:
aws secretsmanager update-secret \
    --secret-id {{secret-id}} \
    --secret-string file://{{secret-value.json}}
Validate that dependent applications and services can retrieve and use the updated secret value.
Confirm that the AWSCURRENT version reflects the new value:
aws secretsmanager list-secret-version-ids \
    --secret-id {{secret-id}}
Enable Automatic Rotation

From Command Line
Confirm that the secret type supports automatic rotation and that a rotation Lambda function exists or can be deployed.
Enable automatic rotation:
aws secretsmanager rotate-secret \
    --secret-id {{secret-id}} \
    --rotation-lambda-arn {{rotation-lambda-arn}} \
    --rotation-rules AutomaticallyAfterDays=90
Validate the rotation configuration and confirm that dependent applications can use values produced by the rotation workflow.
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days			1	no data
💼 Cloudaware Framework → 💼 Expiration Management			21	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			32	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	32	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control			27	no data
💼 PCI DSS v3.2.1 → 💼 8.2.4 Change user passwords/passphrases at least once every 90 days.			4	no data
💼 PCI DSS v4.0.1 → 💼 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.			4	no data
💼 PCI DSS v4.0.1 → 💼 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.	1		5	no data
💼 PCI DSS v4.0.1 → 💼 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.			3	no data
💼 PCI DSS v4.0 → 💼 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.			4	no data
💼 PCI DSS v4.0 → 💼 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users.	1	1	5	no data
💼 PCI DSS v4.0 → 💼 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.			3	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

Rotate the Secret​

From Command Line​

Enable Automatic Rotation​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

Rotate the Secret

From Command Line

Enable Automatic Rotation

From Command Line

policy.yaml

Linked Framework Sections