chore(aws): enhance metadata for secretsmanager service (#9408)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

prowler/CHANGELOG.md

@@ -12,6 +12,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406)
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
+- Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 
 ---
 

prowler/providers/aws/services/secretsmanager/secretsmanager_automatic_rotation_enabled/secretsmanager_automatic_rotation_enabled.metadata.json

@@ -1,29 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "secretsmanager_automatic_rotation_enabled",
-  "CheckTitle": "Check if Secrets Manager secret rotation is enabled.",
+  "CheckTitle": "Secrets Manager secret has rotation enabled",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)"
+  ],
   "ServiceName": "secretsmanager",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
+  "ResourceIdTemplate": "",
-  "Severity": "medium",
+  "Severity": "high",
   "ResourceType": "AwsSecretsManagerSecret",
-  "Description": "Check if Secrets Manager secret rotation is enabled.",
+  "Description": "**AWS Secrets Manager secrets** are evaluated for **automatic rotation**; the check determines if a rotation schedule is enabled for each secret",
-  "Risk": "Rotating secrets minimizes exposure to attacks using stolen secrets.",
+  "Risk": "Absent rotation, **long-lived secrets** widen the attack window:\n- Valid after leakage in code, images, or logs\n- Enable **unauthorized access** and **lateral movement**\n- Complicate incident response and recovery\nThis impacts **confidentiality** and **integrity**, and can threaten **availability** if revocation lags.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws secretsmanager rotate-secret --region <REGION> --secret-id <SECRET-ID> --rotation-lambda-arn <LAMBDA-ARN> --rotation-rules AutomaticallyAfterDays=30",
+      "CLI": "aws secretsmanager rotate-secret --secret-id <example_resource_id> --rotation-lambda-arn <example_resource_id> --rotation-rules AutomaticallyAfterDays=30",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::SecretsManager::RotationSchedule\n    Properties:\n      SecretId: <example_resource_id>\n      RotationLambdaARN: <example_resource_id>\n      RotationRules:\n        AutomaticallyAfterDays: 30  # Critical: enables rotation on a 30-day schedule\n```",
-      "Other": "",
+      "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret\n3. Click Rotation > Enable automatic rotation\n4. Choose the rotation Lambda function\n5. Set rotation interval to 30 days\n6. Save",
-      "Terraform": ""
+      "Terraform": "```hcl\nresource \"aws_secretsmanager_secret_rotation\" \"<example_resource_name>\" {\n  secret_id          = \"<example_resource_id>\"\n  rotation_lambda_arn = \"<example_resource_id>\"\n  rotation_rules {\n    automatically_after_days = 30  # Critical: enables rotation schedule\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Implement automated detective control to scan accounts for passwords and secrets. Use secrets manager service to store and retrieve passwords and secrets.",
+      "Text": "Enable **automatic rotation** for secrets and set schedules based on sensitivity (e.g., `30-90 days`). Enforce **least privilege** for accessing and rotating secrets and apply **separation of duties**. Monitor rotation health. Avoid hardcoded credentials; retrieve secrets at runtime and support versioned updates.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html"
+      "Url": "https://hub.prowler.com/check/secretsmanager_automatic_rotation_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "Infrastructure Protection"

prowler/providers/aws/services/secretsmanager/secretsmanager_not_publicly_accessible/secretsmanager_not_publicly_accessible.metadata.json

@@ -1,32 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "secretsmanager_not_publicly_accessible",
-  "CheckTitle": "Ensure Secrets Manager secrets are not publicly accessible.",
+  "CheckTitle": "Secrets Manager secret resource policy does not allow public access",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Credential Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "secretsmanager",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
+  "ResourceIdTemplate": "",
   "Severity": "high",
   "ResourceType": "AwsSecretsManagerSecret",
-  "Description": "This control checks whether Secrets Manager secrets are not publicly accessible via resource policies.",
+  "Description": "**AWS Secrets Manager secrets** are evaluated for **public exposure** through resource-based policies that grant broad access, such as `Principal: \"*\"`, which would allow any principal to perform actions on the secret.",
-  "Risk": "Publicly accessible secrets can expose sensitive information and pose a security risk.",
+  "Risk": "**Public access** to a secret enables uncontrolled retrieval of secret values, compromising **confidentiality**. If broad actions are allowed, attackers can modify or delete the secret, impacting **integrity** and **availability**, and use exposed credentials for unauthorized data access and **lateral movement**.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws secretsmanager delete-resource-policy --secret-id <secret-id>",
+      "CLI": "aws secretsmanager put-resource-policy --secret-id <secret-id> --resource-policy '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<ACCOUNT_ID>:root\"},\"Action\":\"secretsmanager:GetSecretValue\",\"Resource\":\"*\"}]}' --block-public-policy",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: attach a non-public resource policy\nResources:\n  <example_resource_name>:\n    Type: AWS::SecretsManager::ResourcePolicy\n    Properties:\n      SecretId: \"<example_resource_id>\"\n      BlockPublicPolicy: true  # Critical: prevents policies that allow public access\n      ResourcePolicy:          # Critical: principal is restricted, not \"*\"\n        Version: '2012-10-17'\n        Statement:\n          - Effect: Allow\n            Principal:\n              AWS: arn:aws:iam::<ACCOUNT_ID>:root\n            Action: secretsmanager:GetSecretValue\n            Resource: \"*\"\n```",
-      "Other": "",
+      "Other": "1. Open AWS Console > Secrets Manager\n2. Select the secret > Overview tab > Resource permissions > Edit permissions\n3. Remove any statement with Principal set to \"*\" (or AWS: \"*\")\n4. Add an allow statement for only your account root principal: arn:aws:iam::<ACCOUNT_ID>:root\n5. Enable Block public access (if available) and click Save",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Restrict secret policy and block public access\nresource \"aws_secretsmanager_secret_policy\" \"<example_resource_name>\" {\n  secret_arn         = \"<example_resource_id>\"\n  block_public_policy = true  # Critical: blocks public policies\n  policy = jsonencode({       # Critical: principal is not \"*\"\n    Version = \"2012-10-17\"\n    Statement = [{\n      Effect    = \"Allow\"\n      Principal = { AWS = \"arn:aws:iam::<ACCOUNT_ID>:root\" }\n      Action    = \"secretsmanager:GetSecretValue\"\n      Resource  = \"*\"\n    }]\n  })\n}\n```"
     },
     "Recommendation": {
-      "Text": "Review and remove any public access from Secrets Manager policies to follow the Principle of Least Privilege.",
+      "Text": "Apply **least privilege** to resource policies:\n- Remove wildcards and limit access to specific principals\n- Add contextual conditions (e.g., VPC endpoints, source account/ARN)\n- Enable safeguards that block public policies\n- Prefer private access paths\n- Periodically review related identity and KMS policies",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html"
+      "Url": "https://hub.prowler.com/check/secretsmanager_not_publicly_accessible"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "secrets"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/aws/services/secretsmanager/secretsmanager_secret_rotated_periodically/secretsmanager_secret_rotated_periodically.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "secretsmanager_secret_rotated_periodically",
-  "CheckTitle": "Secrets should be rotated periodically",
+  "CheckTitle": "AWS Secrets Manager secret is rotated within the configured maximum number of days",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
   "ServiceName": "secretsmanager",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsSecretsManagerSecret",
-  "Description": "Secrets should be rotated periodically to reduce the risk of unauthorized access.",
+  "Description": "**AWS Secrets Manager secrets** are evaluated for **periodic rotation** within a configured window (default `90` days).\n\nSecrets with no recorded rotation, or with rotation older than the allowed window, are identified for review.",
-  "Risk": "Rotating secrets in your AWS account reduces the risk of unauthorized access, especially for credentials like passwords or API keys. Automatic rotation via AWS Secrets Manager replaces long-term secrets with short-term ones, lowering the chances of compromise.",
+  "Risk": "**Long-lived or never-rotated secrets** widen the attack window. Leaked or brute-forced credentials stay valid, enabling unauthorized access to databases and APIs, **data exfiltration**, and unauthorized changes-compromising **confidentiality** and **integrity**.",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws secretsmanager rotate-secret --secret-id <secret-name>",
+      "CLI": "aws secretsmanager rotate-secret --secret-id <secret-id>",
-      "NativeIaC": "",
+      "NativeIaC": "```yaml\n# CloudFormation: enable rotation and rotate now\nResources:\n  <example_resource_name>:\n    Type: AWS::SecretsManager::RotationSchedule\n    Properties:\n      SecretId: <example_resource_id>  # CRITICAL: target secret to rotate\n      RotationLambdaARN: <example_resource_id>  # CRITICAL: Lambda ARN used to perform rotation\n      ScheduleExpression: rate(30 days)  # CRITICAL: ensures rotation occurs within max allowed days\n      RotateImmediatelyOnUpdate: true  # CRITICAL: triggers an immediate rotation to pass the check\n```",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-4",
+      "Other": "1. Open the AWS Console > Secrets Manager\n2. Select the secret\n3. If Rotation status is Enabled: click Rotate secret immediately\n4. If Rotation is Disabled: click Edit rotation, turn on Automatic rotation, choose the rotation Lambda function, Save, then click Rotate secret immediately",
-      "Terraform": ""
+      "Terraform": "```hcl\n# Enable rotation for the secret\nresource \"aws_secretsmanager_secret_rotation\" \"<example_resource_name>\" {\n  secret_id          = \"<example_resource_id>\"  # CRITICAL: target secret\n  rotation_lambda_arn = \"<example_resource_id>\" # CRITICAL: Lambda ARN used to rotate\n\n  rotation_rules {                          \n    automatically_after_days = 30            # CRITICAL: rotate within allowed days\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Configure automatic rotation for your Secrets Manager secrets.",
+      "Text": "Enable **automatic rotation** for all secrets with intervals aligned to sensitivity (**`90` days or more frequent). Ensure apps retrieve secrets at runtime. Apply **least privilege** to rotation roles and KMS keys, use **separation of duties**, and monitor rotation health with alerts. Avoid hard-coded credentials and retire unused secrets.",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda.html"
+      "Url": "https://hub.prowler.com/check/secretsmanager_secret_rotated_periodically"
     }
   },
   "Categories": [

prowler/providers/aws/services/secretsmanager/secretsmanager_secret_unused/secretsmanager_secret_unused.metadata.json

@@ -1,26 +1,33 @@
 {
   "Provider": "aws",
   "CheckID": "secretsmanager_secret_unused",
-  "CheckTitle": "Ensure secrets manager secrets are not unused",
+  "CheckTitle": "Secrets Manager secret has been accessed within the last 90 days",
-  "CheckType": [],
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
   "ServiceName": "secretsmanager",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:secretsmanager:region:account-id:secret:secret-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsSecretsManagerSecret",
-  "Description": "Checks whether Secrets Manager secrets are unused.",
+  "Description": "**AWS Secrets Manager secrets** with no retrieval activity beyond a configured window (default `90` days) are identified as **unused** based on their most recent access timestamp",
-  "Risk": "Unused secrets can be abused by former users or leaked to unauthorized entities, increasing the risk of unauthorized access and data breaches.",
+  "Risk": "Unused yet valid secrets jeopardize **confidentiality** and **integrity**:\n- Reuse by ex-users or leaked code enables unauthorized access\n- Limited rotation/revocation increases stealth persistence and data exfiltration\n- Secret sprawl adds operational risk and extra cost",
-  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3",
+    "https://support.icompaas.com/support/solutions/articles/62000233606-ensure-secrets-manager-secrets-are-not-unused",
+    "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws secretsmanager delete-secret --secret-id <secret-arn>",
+      "CLI": "aws secretsmanager delete-secret --secret-id <example_resource_id>",
       "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/secretsmanager-controls.html#secretsmanager-3",
+      "Other": "1. In the AWS Console, go to Secrets Manager\n2. Select the unused secret\n3. If the secret has replicas: in Replicate secret, select each replica and choose Actions > Delete replica\n4. Choose Actions > Delete secret\n5. Keep the default recovery window (or set one) and select Schedule deletion",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Regularly review Secrets Manager secrets and delete those that are no longer in use.",
+      "Text": "Apply a **lifecycle policy** for secrets:\n- Require ownership tags and periodic reviews\n- Rotate or disable, then retire secrets unused beyond policy\n- Enforce **least privilege** and monitor retrievals with alerts\n- Automate cleanup using recovery windows to prevent accidental loss",
-      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html"
+      "Url": "https://hub.prowler.com/check/secretsmanager_secret_unused"
     }
   },
   "Categories": [