Control: 3 Remove unused Secrets Manager secrets
Description
This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was accessed even once within the defined number of days, this control fails.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.
Remediation
You can delete inactive secrets from the Secrets Manager console.
To delete inactive secrets
- Open the Secrets Manager console.
- To locate the secret, enter the secret name in the search box.
- Choose the secret to delete.
- Under
Secret details, fromActions, chooseDelete secret. - Under
Schedule secret deletion, enter the number of days to wait before the secret is deleted. - Choose
Schedule deletion.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_secretsmanager_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_secretsmanager_3 --shareSQL
This control uses a named query:
select arn as resource, case when last_accessed_date is null then 'alarm' when date(current_date) - date(last_accessed_date) <= 90 then 'ok' else 'alarm' end as status, case when last_accessed_date is null then title || ' never accessed.' else title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' end as reason , region, account_idfrom aws_secretsmanager_secret;