Check provider logo

Secrets Manager secret has been accessed within the last 90 days

secretsmanager_secret_unused

Severitymedium
Servicesecretsmanager
by Prowler
secrets

AWS Secrets Manager secrets with no retrieval activity beyond a configured window (default 90 days) are identified as unused based on their most recent access timestamp

Risk

Unused yet valid secrets jeopardize confidentiality and integrity:

  • Reuse by ex-users or leaked code enables unauthorized access
  • Limited rotation/revocation increases stealth persistence and data exfiltration
  • Secret sprawl adds operational risk and extra cost
Run this check with Prowler CLI

prowler aws --checks secretsmanager_secret_unused

Run in Prowler Cloud

Recommendation

Apply a lifecycle policy for secrets:

  • Require ownership tags and periodic reviews
  • Rotate or disable, then retire secrets unused beyond policy
  • Enforce least privilege and monitor retrievals with alerts
  • Automate cleanup using recovery windows to prevent accidental loss

Remediation

CLI

aws secretsmanager delete-secret --secret-id <example_resource_id>

Other
  1. In the AWS Console, go to Secrets Manager
  2. Select the unused secret
  3. If the secret has replicas: in Replicate secret, select each replica and choose Actions > Delete replica
  4. Choose Actions > Delete secret
  5. Keep the default recovery window (or set one) and select Schedule deletion

Source Code

Resource Type

AwsSecretsManagerSecret

References