AWS Secrets Manager

Secrets Manager Small Rotation Window

Risk Level: Low

Description

This plugin ensures that the AWS Secrets Manager rotation interval is more than the configured value. Rotation is the process of periodically updating a secret. When the rotation of a secret is done, the credentials of both the secret as well as the service is updated. It is recommended to configure rotation intervals as per your organization’s compliance standards.

Configuration Parameters

Secrets Manager Secret Rotation Interval: This parameter specifies the minimum number of days after which the secret must be rotated.

By default, the value is set to 30. Therefore, it will generate a vulnerability alert if the rotation interval exceeds the 30 days limit.

About the Service

AWS Secrets Manager: As the name suggests, Secrets Manager enables you to replace hard coded credentials in your code, with an API call to Secrets Manager to retrieve the secret programmatically. This ensures that the sensitive information secured by the credentials cannot be accessed by the attacker even if the code gets compromised. It manages the access control to the secrets so that only authorized systems can access the secrets.

Impact

When the rotation of a secret is done, the credentials of both the secret as well as the service is updated. It is recommended to configure rotation intervals as per your organization’s compliance standards.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon Secrets Manager Console. You can use this link (https://console.aws.amazon.com/secretsmanager) to navigate directly if already logged in. 
  3. Scroll down and select Secrets from the left pane.
  4. A list of secrets will appear. Choose the secret you want to examine by clicking on its Name. 
  5. In the Rotation configuration section check the rotation interval. If the value is set more than the configured value, the vulnerability exists.
  6. Repeat steps for all the secrets you want to investigate.

Steps for Remediation

Enable secret rotation for a smaller interval for your secrets.

  1. Log In to your AWS Console.
  2. Open the Amazon Secrets Manager Console. You can use this link (https://console.aws.amazon.com/secretsmanager) to navigate directly if already logged in. 
  3. Scroll down and select Secrets from the left pane.
  4. A list of secrets will appear. Choose the vulnerable secret by clicking on its Name. 
  5. In the Rotation configuration section click on the Edit rotation button.
  6. Specify the number of days as well as the Lambda function required to rotate the secret.
  7. Click on Save after doing the changes.
  8. Repeat steps for all the vulnerable secrets.