Control: Secrets Manager secrets should be rotated within 365 days

Description

Ensure that AWS Secrets Manager secrets have been rotated in the past 365 days. The rule is non-compliant if a secret has not been rotated for more than 365 days. This control provides a more lenient rotation period compared to the 90-day requirement, which may be more suitable for some organizations.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.secretsmanager_secret_last_changed_365_day

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.secretsmanager_secret_last_changed_365_day --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when last_changed_date is null then 'alarm'
    when date(current_date) - date(last_changed_date) <= 365 then 'ok'
    else 'alarm'
  end as status,
  case
    when last_changed_date is null then title || ' never rotated.'
    else
      title || ' last rotated ' || extract(day from current_timestamp - last_changed_date) || ' day(s) ago.'
  end as reason
  
  , region, account_id
from
  aws_secretsmanager_secret;

Control: Secrets Manager secrets should be rotated within 365 days

Description

Usage

SQL

Tags