π‘οΈ AWS Secrets Manager Secret has not been accessed in over 90 daysπ’
- Contextual name: π‘οΈ Secret has not been accessed in over 90 daysπ’
- ID:
/ce/ca/aws/secrets-manager/secret-unused - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [SecretsManager.3] Remove unused Secrets Manager secrets
Descriptionβ
Descriptionβ
This policy identifies AWS Secrets Manager Secrets that have not been accessed or updated within the last 90 days.
Rationaleβ
Secrets that are not regularly accessed are often associated with decommissioned applications or obsolete testing environments. Retaining unused secrets increases the security risk by expanding the pool of credentials that could be exposed in the event of an account compromise.
In addition, AWS charges a monthly fee for each stored secret. Identifying and removing unused secrets helps reduce unnecessary costs and improve overall security posture.
Auditβ
This policy flags an AWS Secrets Manager Secret as
INCOMPLIANTwhen either of the following conditions is met:
- The
Last Accessed Dateis empty and theLast Changed Dateis more than 90 days old.- The
Last Accessed Dateis more than 90 days old.Secrets that are scheduled for deletion are marked as
INAPPLICABLE.
Remediationβ
Remediationβ
Decommission Unused Secretsβ
From the Command Lineβ
Before deleting a secret, confirm with the owning team or application that the secret is no longer required. If the secret is still needed but accessed infrequently, enable automatic rotation to ensure the credentials remain secure and up to date (see:
AWS Secrets Manager Secret Automatic Rotation is not enabledRemediation).Once the secret has been verified as unused, schedule it for deletion using the AWS CLI:
aws secretsmanager delete-secret \
--secret-id {{secret-id}} \
--recovery-window-in-days 30AWS Secrets Manager enforces a mandatory recovery window of 7 to 30 days. During this period, the deletion can be canceled if the secret is needed again.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [SecretsManager.3] Remove unused Secrets Manager secrets | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Expiration Management | 15 | no data | |||
| πΌ FedRAMP High Security Controls β πΌ AC-2(1) Automated System Account Management (M)(H) | 25 | no data | |||
| πΌ FedRAMP Moderate Security Controls β πΌ AC-2(1) Automated System Account Management (M)(H) | 25 | no data | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-2(1) Account Management _ Automated System Account Management | 4 | 25 | no data | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control | 20 | no data |