Control: Secrets Manager secrets should be rotated within specific number of days
Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is non-compliant if a secret has not been rotated for more than 'maxDaysSinceRotation' number of days. The default value is 90 days.
Run the control in your terminal:
powerpipe control run aws_compliance.control.secretsmanager_secret_last_changed_90_day
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.secretsmanager_secret_last_changed_90_day --share
This control uses a named query:
select arn as resource, case when last_changed_date is null then 'alarm' when date(current_date) - date(last_changed_date) <= 90 then 'ok' else 'alarm' end as status, case when last_changed_date is null then title || ' never rotated.' else title || ' last rotated ' || extract(day from current_timestamp - last_changed_date) || ' day(s) ago.' end as reason , region, account_idfrom aws_secretsmanager_secret;