AWS Secrets Manager

Secrets Manager Secret Rotation Disabled

Risk Level: Low

Description

This plugin ensures Secrets Manager is configured to automatically rotate the secret for a secured service or database. Rotation is the process of periodically updating a secret. When the rotation of a secret is done, the credentials of both the secret as well as the service is updated. It is recommended to enable secret rotation to improve the security posture of the sensitive information stored.

About the Service

AWS Secrets Manager: As the name suggests, Secrets Manager enables you to replace hardcoded credentials in your code, with an API call to Secrets Manager to retrieve the secret programmatically. This ensures that the sensitive information secured by the credentials cannot be accessed by the attacker even if the code gets compromised. It manages the access control to the secrets so that only authorized systems can access the secrets.

Impact

Rotation is the process of periodically updating a secret. When the rotation of a secret is done, the credentials of both the secret as well as the service is updated. It is recommended to enable secret rotation to improve the security posture of the sensitive information stored.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon Secrets Manager Console. You can use this link (https://console.aws.amazon.com/secretsmanager) to navigate directly if already logged in. 
  3. Scroll down and select Secrets from the left pane.
  4. A list of secrets will appear. Choose the secret you want to examine by clicking on its Name. 
  5. In the Rotation configuration section check if the rotation is enabled. If the value is set to “Disabled”, the vulnerability exists.
  6. Repeat steps for all the secrets you want to investigate.

Steps for Remediation

Enable secret rotation for your secrets.

  1. Log In to your AWS Console.
  2. Open the Amazon Secrets Manager Console. You can use this link (https://console.aws.amazon.com/secretsmanager) to navigate directly if already logged in. 
  3. Scroll down and select Secrets from the left pane.
  4. A list of secrets will appear. Choose the vulnerable secret by clicking on its Name. 
  5. In the Rotation configuration section click on the Edit rotation button.
  6. Enable the Rotation and specify the number of days as well as the Lambda function required to rotate the secret.
  7. Click on Save after doing the changes.
  8. Repeat steps for all the vulnerable secrets.