MEDIUM Secrets Manager

Secrets Manager rotation

Check ID: aws-sm-001

AWS-SM-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for secrets without automatic rotation configured or secrets that haven't been rotated in over 90 days.

Why it matters

Secrets that never rotate remain valid indefinitely, giving attackers unlimited time to exploit a leaked credential. Verizon DBIR 2024 reports that the median time to discover a credential compromise is 180 days - without rotation, the secret remains exploitable for the entire duration. AWS Secrets Manager supports automatic rotation with Lambda functions for RDS, Redshift, DocumentDB, and custom secret types. Rotation creates a new secret version, updates the target service, and invalidates the old version - all automatically. For database credentials, Secrets Manager can rotate both single-user and alternating-user strategies. The rotation Lambda template handles the complex logic of staging, testing, and promoting new credentials.

Common causes

Secret rotation is not configured because it requires a Lambda rotation function with specific IAM permissions, VPC access to the target database, and testing to ensure zero-downtime rotation. Teams store secrets in Secrets Manager for the centralized management benefits but skip rotation setup because it is significantly more complex than just storing the secret. Organizations that rotate credentials manually on a quarterly basis may not see the value in automating the process until a leaked credential incident occurs.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws secretsmanager rotate-secret --secret-id SECRET_NAME --rotation-lambda-arn arn:aws:lambda:REGION:ACCOUNT:function:rotation-fn --rotation-rules AutomaticallyAfterDays=90 --region REGION

Remediation: Terraform

resource "aws_secretsmanager_secret_rotation" "secret" {
  secret_id           = aws_secretsmanager_secret.secret.id
  rotation_lambda_arn = aws_lambda_function.rotation.arn
  rotation_rules {
    automatically_after_days = 90
  }
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related Secrets Manager checks

LOW aws-sm-002

Unused secrets

← All checks