AWS Secrets Manager secret is rotated within the configured maximum number of days
secretsmanager_secret_rotated_periodically
AWS Secrets Manager secrets are evaluated for periodic rotation within a configured window (default 90 days).
Secrets with no recorded rotation, or with rotation older than the allowed window, are identified for review.
Risk
Long-lived or never-rotated secrets widen the attack window. Leaked or brute-forced credentials stay valid, enabling unauthorized access to databases and APIs, data exfiltration, and unauthorized changes-compromising confidentiality and integrity.
prowler aws --checks secretsmanager_secret_rotated_periodically
Recommendation
Enable automatic rotation for all secrets with intervals aligned to sensitivity (**90 days or more frequent). Ensure apps retrieve secrets at runtime. Apply least privilege to rotation roles and KMS keys, use separation of duties, and monitor rotation health with alerts. Avoid hard-coded credentials and retire unused secrets.
Remediation
aws secretsmanager rotate-secret --secret-id <secret-id>
- Open the AWS Console > Secrets Manager
- Select the secret
- If Rotation status is Enabled: click Rotate secret immediately
- If Rotation is Disabled: click Edit rotation, turn on Automatic rotation, choose the rotation Lambda function, Save, then click Rotate secret immediately
Source Code
Resource Type
AwsSecretsManagerSecret