jjfrench
commented
2 months ago Scheduled for deletion since it was generated in the old CloudFormation stack
Closed bwbaker1 closed 2 months ago
jjfrench
commented
2 months ago Scheduled for deletion since it was generated in the old CloudFormation stack
Description:
This control checks whether an AWS Secrets Manager secret has been accessed within the specified time frame. The control fails if a secret is unused beyond the specified time frame. Unless you provide a custom parameter value for the access period, Security Hub uses a default value of 90 days.
Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets.
Non-conpliant resource: arn:aws:secretsmanager:us-west-2:237694371684:secret:nasa-apt-api-lambda-prod-database-secrets-WCpI2L
Remediation Steps: https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3
Acceptance Criteria: