Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
982
stars
249
forks
source link
[BUG] sra/macie_org_delivery_key_arn and sra/guardduty_org_delivery_key_arn should be in SSM not Secrets Manager #262
These ARNs should be in SSM Param Store not Secrets Manager. If it's in Secrets Manager it triggers this AWS config security control "SecretsManager.4 Secrets Manager secrets should be rotated within a specified number of days".
Control description: This Control checks whether an AWS Secrets Manager secret is rotated at least once within the specified time frame. The Control fails if a secret isn't rotated at least this frequently. Unless you provide a custom parameter value for the rotation period, Security Hub uses a default value of 90 days.
Describe the bug
These ARNs should be in SSM Param Store not Secrets Manager. If it's in Secrets Manager it triggers this AWS config security control "SecretsManager.4 Secrets Manager secrets should be rotated within a specified number of days".
Control description: This Control checks whether an AWS Secrets Manager secret is rotated at least once within the specified time frame. The Control fails if a secret isn't rotated at least this frequently. Unless you provide a custom parameter value for the rotation period, Security Hub uses a default value of 90 days.
sra/macie_org_delivery_key_arn
sra/guardduty_org_delivery_key_arn
To Reproduce
Steps to reproduce the behavior:
N/A
Expected behavior
These ARNs are not secrets they should be in SSM param store.
arn:aws:kms:us-west-2::key/xxxxxxxx-1234-xxxx-xxxx-xxxxxxxxxxxx
Screenshots
N/A
Deployment Environment (please complete the following information)
N/A
Additional context
Add any other context about the problem here.