Unused secrets

AWS-SM-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for secrets not accessed in over 90 days, which may indicate forgotten or abandoned credentials.

Why it matters

Unused secrets cost $0.40/month each and represent credentials that may have been abandoned when a service was decommissioned or migrated. These forgotten credentials are dangerous because they often retain their original permissions but lack monitoring or rotation. If an attacker discovers an unused secret through a code repository scan or compromised state file, the credential likely still works because no one thought to revoke it. AWS recommends reviewing secrets not accessed in 90+ days and scheduling them for deletion with a 30-day recovery window. The recovery window provides a safety net - if a service still needs the secret, the deletion can be canceled before the secret is permanently removed.

Common causes

Unused secrets accumulate when applications are decommissioned but the associated secrets in Secrets Manager are not cleaned up. Teams migrating from one secret to another (for example, during a database migration) create new secrets but forget to delete the old ones. Secrets created for proof-of-concept projects or temporary integrations are left behind because no one tracks secret lifecycle or ownership.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Schedule deletion (30-day recovery window):
aws secretsmanager delete-secret --secret-id SECRET_NAME --recovery-window-in-days 30 --region REGION

Remediation: Terraform

# Remove the aws_secretsmanager_secret resource from Terraform config
# and run terraform apply.