Ensure Secrets Manager Secrets Are Not Unused
Overview
This check identifies AWS Secrets Manager secrets that have not been accessed within the past 90 days. Secrets without recent retrieval activity are flagged as unused based on their most recent access timestamp.
Risk
Unused secrets pose security and operational risks:
- Unauthorized access: Former employees or leaked code may still reference these secrets, enabling unauthorized access to your systems.
- Secret sprawl: Accumulating unused secrets increases management overhead and costs.
- Limited rotation: Secrets that are not actively monitored are less likely to be rotated, increasing the risk of credential compromise.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to view and delete Secrets Manager secrets
- Knowledge of which applications or services use each secret (check with your team before deleting)
Required IAM permissions
To complete this remediation, you need the following IAM permissions:
secretsmanager:ListSecrets- to view all secretssecretsmanager:DescribeSecret- to check last accessed datesecretsmanager:DeleteSecret- to schedule deletionsecretsmanager:RestoreSecret- to restore if deleted by mistake
AWS Console Method
-
Open the AWS Secrets Manager console
-
Review the Last retrieved column to identify secrets that have not been accessed recently
-
For each unused secret, click on the secret name to open its details
-
Before deleting, confirm with your team that the secret is truly no longer needed. Check:
- Application configurations
- Lambda functions
- ECS task definitions
- Any other services that might reference this secret
-
If the secret has replicas in other regions, delete the replicas first:
- Click Actions > Delete replica
- Repeat for each replica
-
To delete the secret:
- Click Actions > Delete secret
- Choose a recovery window (7-30 days) - this allows you to restore the secret if needed
- Click Schedule deletion
Important: The secret is not immediately deleted. It enters a recovery window during which you can restore it if you discover it was still needed.
AWS CLI (optional)
List all secrets and their last accessed dates:
aws secretsmanager list-secrets \
--region us-east-1 \
--query 'SecretList[*].{Name:Name,LastAccessed:LastAccessedDate,ARN:ARN}' \
--output table
Get detailed information about a specific secret:
aws secretsmanager describe-secret \
--secret-id <your-secret-name> \
--region us-east-1
Schedule deletion of an unused secret (with 30-day recovery window):
aws secretsmanager delete-secret \
--secret-id <your-secret-name> \
--recovery-window-in-days 30 \
--region us-east-1
Schedule deletion with minimum recovery window (7 days):
aws secretsmanager delete-secret \
--secret-id <your-secret-name> \
--recovery-window-in-days 7 \
--region us-east-1
Force immediate deletion (use with extreme caution - cannot be undone):
aws secretsmanager delete-secret \
--secret-id <your-secret-name> \
--force-delete-without-recovery \
--region us-east-1
Restore a secret that was scheduled for deletion:
aws secretsmanager restore-secret \
--secret-id <your-secret-name> \
--region us-east-1
CloudFormation (optional)
CloudFormation does not directly support deleting secrets. However, you can remove secrets from your CloudFormation stack to trigger deletion.
If the secret was created via CloudFormation, simply remove the AWS::SecretsManager::Secret resource from your template and update the stack.
Example of a secret resource to remove:
# Remove this resource from your template to delete the secret
UnusedDatabaseSecret:
Type: AWS::SecretsManager::Secret
DeletionPolicy: Delete # Ensures the secret is deleted when removed from stack
Properties:
Name: my-unused-secret
Description: This secret is no longer needed
Note: By default, CloudFormation retains secrets when removed from a stack. Set DeletionPolicy: Delete to ensure the secret is deleted when the resource is removed.
Terraform (optional)
If the secret was created via Terraform, remove the resource from your configuration and apply the changes.
Example of a secret resource to remove:
# Remove this resource block from your Terraform configuration
resource "aws_secretsmanager_secret" "unused_secret" {
name = "my-unused-secret"
recovery_window_in_days = 7 # Minimum recovery window
}
Run terraform plan to preview the deletion, then terraform apply to execute.
To delete a secret not managed by Terraform:
You can use the AWS CLI commands in the CLI section above, or import the secret into Terraform first and then remove it.
Verification
After scheduling deletion:
- Return to the Secrets Manager console
- Enable Show secrets scheduled for deletion to see the secret
- Verify the secret shows a Deletion date
Wait for the recovery window to pass to ensure no applications break. If something stops working, you can restore the secret before the deletion date.
CLI verification commands
Check if a secret is scheduled for deletion:
aws secretsmanager describe-secret \
--secret-id <your-secret-name> \
--region us-east-1 \
--query '{Name:Name,DeletedDate:DeletedDate}' \
--output table
List all secrets including those scheduled for deletion:
aws secretsmanager list-secrets \
--include-planned-deletion \
--region us-east-1 \
--query 'SecretList[*].{Name:Name,DeletedDate:DeletedDate}' \
--output table
Re-run Prowler to confirm the check passes:
prowler aws --check secretsmanager_secret_unused --region us-east-1
Additional Resources
- AWS Secrets Manager User Guide - Delete a secret
- AWS Secrets Manager User Guide - Restore a secret
- AWS Secrets Manager Best Practices
- Prowler Check Documentation
Notes
- Recovery window: Deleted secrets enter a recovery window (7-30 days) during which they can be restored. Use this safety feature to avoid accidental data loss.
- Replicated secrets: You cannot delete a primary secret that has replicas. Delete all replicas first.
- Cost considerations: You are charged for secrets even during the recovery window. Use
--force-delete-without-recoveryonly when you are certain the secret is not needed. - Monitoring: Consider setting up CloudWatch alarms to alert you when secrets scheduled for deletion are accessed - this indicates the secret may still be in use.
- Lifecycle policy: Implement a regular review process (e.g., quarterly) to identify and clean up unused secrets before they accumulate.