Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · SecretsManager

SecretsManager.1: Secrets are not rotated automatically

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub SecretsManager.1 check?

SecretsManager.1 checks each secret's RotationEnabled flag and fails when automatic rotation is not configured. A secret with rotation off keeps the same value it was given on day one, indefinitely.

Why does SecretsManager.1 matter?

Every system that has ever read a secret keeps a copy — in memory, env vars, container layers, CI logs, a developer's credentials file. The longer a credential lives, the more copies exist and the more people who have left still hold a working one. A six-month-old database password might sit on decommissioned build servers and unwiped laptops you can no longer enumerate. Rotation bounds that blast radius.

How do I fix SecretsManager.1?

  1. Attach a rotation Lambda (the AWS-provided templates cover RDS and common engines) and enable rotation on the secret.
  2. Set a rotation interval that meets your policy — 90 days or tighter for high-value credentials.
  3. Confirm the first rotation completes and the application picks up the new AWSCURRENT version.

Remediation script · bash

# Enable rotation on an RDS-backed secret with the AWS-managed Lambda, 30-day cadence.
aws secretsmanager rotate-secret \
  --secret-id prod/payments/db-master \
  --rotation-lambda-arn arn:aws:lambda:eu-west-1:123456789012:function:SecretsManagerRDSPostgreSQLRotationSingleUser \
  --rotation-rules AutomaticallyAfterDays=30

# Schedule deletion of stale secrets behind a recovery window (never force-delete in prod).
NOW=$(date -u +%FT%TZ)
for arn in $(aws secretsmanager list-secrets \
  --query "SecretList[?LastAccessedDate<='$(date -u -d '90 days ago' +%FT%TZ)'].ARN" \
  --output text); do
  aws secretsmanager delete-secret --secret-id "$arn" --recovery-window-in-days 7
done

# Alarm so the next failed rotation pages a human, not the next audit.
aws cloudwatch put-metric-alarm \
  --alarm-name secrets-rotation-failed --namespace AWS/Lambda --metric-name Errors \
  --dimensions Name=FunctionName,Value=RotatePaymentsDbMaster \
  --statistic Sum --period 3600 --evaluation-periods 1 \
  --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:security-oncall

Full walkthrough (console steps, edge cases and verification) in the lesson Manage secrets (rotation and hygiene).

Full lesson Manage secrets (rotation and hygiene) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for SecretsManager controls ↗ Check your own account for SecretsManager.1 →
Part of the learning path Lock down access

More SecretsManager controls