v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3 Remove unused Secrets Manager secrets

Description

This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was accessed even once within the defined number of days, this control fails.

Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.

Remediation

You can delete inactive secrets from the Secrets Manager console.

To delete inactive secrets

  1. Open the Secrets Manager console.
  2. To locate the secret, enter the secret name in the search box.
  3. Choose the secret to delete.
  4. Under Secret details, from Actions, choose Delete secret.
  5. Under Schedule secret deletion, enter the number of days to wait before the secret is deleted.
  6. Choose Schedule deletion.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_secretsmanager_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_secretsmanager_3 --share

SQL

This control uses a named query:

secretsmanager_secret_unused_90_day

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = secretsmanager_3
plugin = aws
service = AWS/SecretsManager