Secrets Manager secret has rotation enabled
secretsmanager_automatic_rotation_enabled
AWS Secrets Manager secrets are evaluated for automatic rotation; the check determines if a rotation schedule is enabled for each secret
Risk
Absent rotation, long-lived secrets widen the attack window:
- Valid after leakage in code, images, or logs
- Enable unauthorized access and lateral movement
- Complicate incident response and recovery This impacts confidentiality and integrity, and can threaten availability if revocation lags.
prowler aws --checks secretsmanager_automatic_rotation_enabled
Recommendation
Enable automatic rotation for secrets and set schedules based on sensitivity (e.g., 30-90 days). Enforce least privilege for accessing and rotating secrets and apply separation of duties. Monitor rotation health. Avoid hardcoded credentials; retrieve secrets at runtime and support versioned updates.
Remediation
aws secretsmanager rotate-secret --secret-id <example_resource_id> --rotation-lambda-arn <example_resource_id> --rotation-rules AutomaticallyAfterDays=30
- Open AWS Console > Secrets Manager
- Select the secret
- Click Rotation > Enable automatic rotation
- Choose the rotation Lambda function
- Set rotation interval to 30 days
- Save
Source Code
Resource Type
AwsSecretsManagerSecret