Secrets Should Be Rotated Periodically

Overview

This check verifies that AWS Secrets Manager secrets are rotated within a reasonable timeframe (typically 90 days). Regular rotation limits how long a compromised credential remains valid.

Risk

When secrets like database passwords or API keys are never rotated, a single leak can grant attackers indefinite access. Regular rotation ensures that even if credentials are exposed, they become invalid quickly, reducing the window for unauthorized access and data breaches.

Remediation Steps

Prerequisites

You need permission to manage Secrets Manager secrets (secretsmanager:RotateSecret, secretsmanager:DescribeSecret). For automatic rotation, you also need a Lambda function that knows how to update the credential in its target system (e.g., rotate a database password).

About rotation Lambda functions

AWS provides rotation templates for common scenarios:

• Amazon RDS databases (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB)
• Amazon Redshift clusters
• Amazon DocumentDB clusters
• Generic credentials (custom template you can modify)

You can find these templates in the Secrets Manager console when enabling rotation, or in the AWS Secrets Manager rotation function templates.

AWS Console Method

1. Open the AWS Secrets Manager console.
2. Click on the secret you want to rotate.
3. Scroll to the Rotation configuration section.
4. If rotation is already enabled but you want to rotate now:
   • Click Rotate secret immediately.
5. If rotation is not enabled:
   • Click Edit rotation.
   • Toggle Automatic rotation to On.
   • Set your rotation schedule (e.g., every 30 days).
   • Select or create a Lambda rotation function.
   • Click Save.
   • Optionally click Rotate secret immediately to test.

AWS CLI (optional)

List secrets and check rotation status:

aws secretsmanager list-secrets \
    --region us-east-1 \
    --query "SecretList[*].{Name:Name,RotationEnabled:RotationEnabled,LastRotatedDate:LastRotatedDate}"

View rotation details for a specific secret:

aws secretsmanager describe-secret \
    --secret-id <your-secret-name-or-arn> \
    --region us-east-1

Trigger an immediate rotation (requires rotation already configured):

aws secretsmanager rotate-secret \
    --secret-id <your-secret-name-or-arn> \
    --region us-east-1

Enable rotation with a Lambda function and schedule:

aws secretsmanager rotate-secret \
    --secret-id <your-secret-name-or-arn> \
    --rotation-lambda-arn arn:aws:lambda:us-east-1:<account-id>:function:<rotation-function-name> \
    --rotation-rules "{\"AutomaticallyAfterDays\": 30}" \
    --rotate-immediately \
    --region us-east-1

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable rotation for AWS Secrets Manager secret

Parameters:
  SecretArn:
    Type: String
    Description: ARN of the secret to rotate
  RotationLambdaArn:
    Type: String
    Description: ARN of the Lambda function for rotation
  RotationDays:
    Type: Number
    Default: 30
    Description: Number of days between automatic rotations

Resources:
  SecretRotationSchedule:
    Type: AWS::SecretsManager::RotationSchedule
    Properties:
      SecretId: !Ref SecretArn
      RotationLambdaARN: !Ref RotationLambdaArn
      RotationRules:
        AutomaticallyAfterDays: !Ref RotationDays

Outputs:
  SecretRotationEnabled:
    Description: Confirmation that rotation is enabled
    Value: !Sub "Rotation enabled for ${SecretArn}"

Deploy the stack:

aws cloudformation deploy \
    --template-file rotation-schedule.yaml \
    --stack-name secret-rotation-config \
    --parameter-overrides \
        SecretArn=arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret \
        RotationLambdaArn=arn:aws:lambda:us-east-1:123456789012:function:my-rotation-function \
        RotationDays=30 \
    --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Enable rotation for an existing secret
resource "aws_secretsmanager_secret_rotation" "example" {
  secret_id           = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-abc123"
  rotation_lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:my-rotation-function"

  rotation_rules {
    automatically_after_days = 30
  }
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

1. In the Secrets Manager console, open your secret.
2. Check the Rotation configuration section shows Automatic rotation: Enabled.
3. Verify Last rotated date is recent (within your rotation window).

CLI verification

aws secretsmanager describe-secret \
    --secret-id <your-secret-name-or-arn> \
    --region us-east-1 \
    --query "{RotationEnabled:RotationEnabled,RotationRules:RotationRules,LastRotatedDate:LastRotatedDate}"

Expected output shows RotationEnabled: true and a recent LastRotatedDate.

Additional Resources

• AWS Secrets Manager Rotation Documentation
• Rotation Function Templates
• Troubleshoot Rotation
• Prowler Check Documentation

Notes

• Rotation requires a Lambda function: The rotation function must know how to update the credential in the target service (database, API, etc.). AWS provides templates for common services like RDS.
• Test in non-production first: Rotation can cause brief connectivity issues if applications do not handle credential refresh properly. Test your rotation strategy in a staging environment.
• Application changes may be needed: Ensure your applications retrieve secrets at runtime rather than caching them indefinitely. The AWS SDK caches secrets for a short time by default.
• Rotation frequency: 30-90 days is typical. More sensitive secrets may warrant more frequent rotation.
• Monitor rotation health: Set up CloudWatch alarms for rotation failures. Failed rotations can leave secrets in an inconsistent state.