Control: Remove unused Secrets Manager secrets
Description
This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was accessed even once within the defined number of days, this control fails.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.secretsmanager_secret_last_used_1_daySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.secretsmanager_secret_last_used_1_day --shareSQL
This control uses a named query:
select arn as resource, case when date(last_accessed_date) - date(created_date) >= 1 then 'ok' else 'alarm' end as status, case when date(last_accessed_date)- date(created_date) >= 1 then title || ' recently used.' else title || ' not used recently.' end as reason , region, account_idfrom aws_secretsmanager_secret;