Skip to main content

πŸ’Ό [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

  • Contextual name: πŸ’Ό [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days

  • ID: /frameworks/aws-fsbp-v1.0.0/secrets-manager/04

  • Located in: πŸ’Ό Secrets Manager

Description​

Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.

As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently.

You can configure automatic rotation for secrets in AWS Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise.

Similar​

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control10
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse.1

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags