diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 01f40ad46a..900720e501 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -12,6 +12,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406) - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429) - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) +- Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) --- diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.metadata.json b/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.metadata.json index 4696d854cb..db7d5b0454 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.metadata.json +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.metadata.json @@ -1,29 +1,39 @@ { "Provider": "aws", "CheckID": "secretsmanager_automatic_rotation_enabled", - "CheckTitle": "Check if Secrets Manager secret rotation is enabled.", - "CheckType": [], + "CheckTitle": "Secrets Manager secret has rotation enabled", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)", + "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)" + ], "ServiceName": "secretsmanager", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name", - "Severity": "medium", + "ResourceIdTemplate": "", + "Severity": "high", "ResourceType": "AwsSecretsManagerSecret", - "Description": "Check if Secrets Manager secret rotation is enabled.", - "Risk": "Rotating secrets minimizes exposure to attacks using stolen secrets.", - "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html", + "Description": "**AWS Secrets Manager secrets** are evaluated for **automatic rotation**; the check determines if a rotation schedule is enabled for each secret", + "Risk": "Absent rotation, **long-lived secrets** widen the attack window:\n- Valid after leakage in code, images, or logs\n- Enable **unauthorized access** and **lateral movement**\n- Complicate incident response and recovery\nThis impacts **confidentiality** and **integrity**, and can threaten **availability** if revocation lags.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html" + ], "Remediation": { "Code": { - "CLI": "aws secretsmanager rotate-secret --region --secret-id --rotation-lambda-arn --rotation-rules AutomaticallyAfterDays=30", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "aws secretsmanager rotate-secret --secret-id --rotation-lambda-arn --rotation-rules AutomaticallyAfterDays=30", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::SecretsManager::RotationSchedule\n Properties:\n SecretId: \n RotationLambdaARN: \n RotationRules:\n AutomaticallyAfterDays: 30 # Critical: enables rotation on a 30-day schedule\n```", + "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret\n3. Click Rotation > Enable automatic rotation\n4. Choose the rotation Lambda function\n5. Set rotation interval to 30 days\n6. Save", + "Terraform": "```hcl\nresource \"aws_secretsmanager_secret_rotation\" \"\" {\n secret_id = \"\"\n rotation_lambda_arn = \"\"\n rotation_rules {\n automatically_after_days = 30 # Critical: enables rotation schedule\n }\n}\n```" }, "Recommendation": { - "Text": "Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.", - "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html" + "Text": "Enable **automatic rotation** for secrets and set schedules based on sensitivity (e.g., `30-90 days`). Enforce **least privilege** for accessing and rotating secrets and apply **separation of duties**. Monitor rotation health. Avoid hardcoded credentials; retrieve secrets at runtime and support versioned updates.", + "Url": "https://hub.prowler.com/check/secretsmanager_automatic_rotation_enabled" } }, - "Categories": [], + "Categories": [ + "secrets" + ], "DependsOn": [], "RelatedTo": [], "Notes": "Infrastructure Protection" diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.metadata.json b/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.metadata.json index 9538080170..6c3bf28745 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.metadata.json +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.metadata.json @@ -1,32 +1,40 @@ { "Provider": "aws", "CheckID": "secretsmanager_not_publicly_accessible", - "CheckTitle": "Ensure Secrets Manager secrets are not publicly accessible.", + "CheckTitle": "Secrets Manager secret resource policy does not allow public access", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "TTPs/Credential Access", + "Effects/Data Exposure" ], "ServiceName": "secretsmanager", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AwsSecretsManagerSecret", - "Description": "This control checks whether Secrets Manager secrets are not publicly accessible via resource policies.", - "Risk": "Publicly accessible secrets can expose sensitive information and pose a security risk.", - "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html", + "Description": "**AWS Secrets Manager secrets** are evaluated for **public exposure** through resource-based policies that grant broad access, such as `Principal: \"*\"`, which would allow any principal to perform actions on the secret.", + "Risk": "**Public access** to a secret enables uncontrolled retrieval of secret values, compromising **confidentiality**. If broad actions are allowed, attackers can modify or delete the secret, impacting **integrity** and **availability**, and use exposed credentials for unauthorized data access and **lateral movement**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html" + ], "Remediation": { "Code": { - "CLI": "aws secretsmanager delete-resource-policy --secret-id ", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "aws secretsmanager put-resource-policy --secret-id --resource-policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam:::root\"},\"Action\":\"secretsmanager:GetSecretValue\",\"Resource\":\"*\"}]}' --block-public-policy", + "NativeIaC": "```yaml\n# CloudFormation: attach a non-public resource policy\nResources:\n :\n Type: AWS::SecretsManager::ResourcePolicy\n Properties:\n SecretId: \"\"\n BlockPublicPolicy: true # Critical: prevents policies that allow public access\n ResourcePolicy: # Critical: principal is restricted, not \"*\"\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n AWS: arn:aws:iam:::root\n Action: secretsmanager:GetSecretValue\n Resource: \"*\"\n```", + "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret > Overview tab > Resource permissions > Edit permissions\n3. Remove any statement with Principal set to \"*\" (or AWS: \"*\")\n4. Add an allow statement for only your account root principal: arn:aws:iam:::root\n5. Enable Block public access (if available) and click Save", + "Terraform": "```hcl\n# Restrict secret policy and block public access\nresource \"aws_secretsmanager_secret_policy\" \"\" {\n secret_arn = \"\"\n block_public_policy = true # Critical: blocks public policies\n policy = jsonencode({ # Critical: principal is not \"*\"\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = { AWS = \"arn:aws:iam:::root\" }\n Action = \"secretsmanager:GetSecretValue\"\n Resource = \"*\"\n }]\n })\n}\n```" }, "Recommendation": { - "Text": "Review and remove any public access from Secrets Manager policies to follow the Principle of Least Privilege.", - "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html" + "Text": "Apply **least privilege** to resource policies:\n- Remove wildcards and limit access to specific principals\n- Add contextual conditions (e.g., VPC endpoints, source account/ARN)\n- Enable safeguards that block public policies\n- Prefer private access paths\n- Periodically review related identity and KMS policies", + "Url": "https://hub.prowler.com/check/secretsmanager_not_publicly_accessible" } }, "Categories": [ - "internet-exposed" + "internet-exposed", + "secrets" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.metadata.json b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.metadata.json index e7c2f4c9f4..567590da97 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.metadata.json +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.metadata.json @@ -1,26 +1,33 @@ { "Provider": "aws", "CheckID": "secretsmanager_secret_rotated_periodically", - "CheckTitle": "Secrets should be rotated periodically", - "CheckType": [], + "CheckTitle": "AWS Secrets Manager secret is rotated within the configured maximum number of days", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "secretsmanager", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsSecretsManagerSecret", - "Description": "Secrets should be rotated periodically to reduce the risk of unauthorized access.", - "Risk": "Rotating secrets in your AWS account reduces the risk of unauthorized access, especially for credentials like passwords or API keys. Automatic rotation via AWS Secrets Manager replaces long-term secrets with short-term ones, lowering the chances of compromise.", - "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "Description": "**AWS Secrets Manager secrets** are evaluated for **periodic rotation** within a configured window (default `90` days).\n\nSecrets with no recorded rotation, or with rotation older than the allowed window, are identified for review.", + "Risk": "**Long-lived or never-rotated secrets** widen the attack window. Leaked or brute-forced credentials stay valid, enabling unauthorized access to databases and APIs, **data exfiltration**, and unauthorized changes-compromising **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html" + ], "Remediation": { "Code": { - "CLI": "aws secretsmanager rotate-secret --secret-id ", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-4", - "Terraform": "" + "CLI": "aws secretsmanager rotate-secret --secret-id ", + "NativeIaC": "```yaml\n# CloudFormation: enable rotation and rotate now\nResources:\n :\n Type: AWS::SecretsManager::RotationSchedule\n Properties:\n SecretId: # CRITICAL: target secret to rotate\n RotationLambdaARN: # CRITICAL: Lambda ARN used to perform rotation\n ScheduleExpression: rate(30 days) # CRITICAL: ensures rotation occurs within max allowed days\n RotateImmediatelyOnUpdate: true # CRITICAL: triggers an immediate rotation to pass the check\n```", + "Other": "1. Open the AWS Console > Secrets Manager\n2. Select the secret\n3. If Rotation status is Enabled: click Rotate secret immediately\n4. If Rotation is Disabled: click Edit rotation, turn on Automatic rotation, choose the rotation Lambda function, Save, then click Rotate secret immediately", + "Terraform": "```hcl\n# Enable rotation for the secret\nresource \"aws_secretsmanager_secret_rotation\" \"\" {\n secret_id = \"\" # CRITICAL: target secret\n rotation_lambda_arn = \"\" # CRITICAL: Lambda ARN used to rotate\n\n rotation_rules { \n automatically_after_days = 30 # CRITICAL: rotate within allowed days\n }\n}\n```" }, "Recommendation": { - "Text": "Configure automatic rotation for your Secrets Manager secrets.", - "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda.html" + "Text": "Enable **automatic rotation** for all secrets with intervals aligned to sensitivity (**`90` days or more frequent). Ensure apps retrieve secrets at runtime. Apply **least privilege** to rotation roles and KMS keys, use **separation of duties**, and monitor rotation health with alerts. Avoid hard-coded credentials and retire unused secrets.", + "Url": "https://hub.prowler.com/check/secretsmanager_secret_rotated_periodically" } }, "Categories": [ diff --git a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.metadata.json b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.metadata.json index 194d30158e..f83c3c8e9a 100644 --- a/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.metadata.json +++ b/prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.metadata.json @@ -1,26 +1,33 @@ { "Provider": "aws", "CheckID": "secretsmanager_secret_unused", - "CheckTitle": "Ensure secrets manager secrets are not unused", - "CheckType": [], + "CheckTitle": "Secrets Manager secret has been accessed within the last 90 days", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices" + ], "ServiceName": "secretsmanager", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name", + "ResourceIdTemplate": "", "Severity": "medium", "ResourceType": "AwsSecretsManagerSecret", - "Description": "Checks whether Secrets Manager secrets are unused.", - "Risk": "Unused secrets can be abused by former users or leaked to unauthorized entities, increasing the risk of unauthorized access and data breaches.", - "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html", + "Description": "**AWS Secrets Manager secrets** with no retrieval activity beyond a configured window (default `90` days) are identified as **unused** based on their most recent access timestamp", + "Risk": "Unused yet valid secrets jeopardize **confidentiality** and **integrity**:\n- Reuse by ex-users or leaked code enables unauthorized access\n- Limited rotation/revocation increases stealth persistence and data exfiltration\n- Secret sprawl adds operational risk and extra cost", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3", + "https://support.icompaas.com/support/solutions/articles/62000233606-ensure-secrets-manager-secrets-are-not-unused", + "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html" + ], "Remediation": { "Code": { - "CLI": "aws secretsmanager delete-secret --secret-id ", + "CLI": "aws secretsmanager delete-secret --secret-id ", "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3", + "Other": "1. In the AWS Console, go to Secrets Manager\n2. Select the unused secret\n3. If the secret has replicas: in Replicate secret, select each replica and choose Actions > Delete replica\n4. Choose Actions > Delete secret\n5. Keep the default recovery window (or set one) and select Schedule deletion", "Terraform": "" }, "Recommendation": { - "Text": "Regularly review Secrets Manager secrets and delete those that are no longer in use.", - "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html" + "Text": "Apply a **lifecycle policy** for secrets:\n- Require ownership tags and periodic reviews\n- Rotate or disable, then retire secrets unused beyond policy\n- Enforce **least privilege** and monitor retrievals with alerts\n- Automate cleanup using recovery windows to prevent accidental loss", + "Url": "https://hub.prowler.com/check/secretsmanager_secret_unused" } }, "Categories": [