Secret Rotation
Secret last rotation is longer than 90 days
Description
Regularly rotating privileged secrets is crucial for protecting your business from malicious attacks. Without rotation, a malicious individual could gain access and use it to cause significant damage. Rotation makes unauthorized access much harder, keeping your organization secure.

Risk triggers
-
Secrets stored in vaults with an age older than 90 days (by default)
-
Age thresholds can be configured according to the policies of your organization
Mitigation
Secret should be rotated and updated in the vault.
Secrets should be constantly rotated to avoid a potential leak, misuse, and lack of compliance.
-
Inform the secret owner that his secret should be rotated.
-
Once the secret has been revoked and recreated, place it again in the vault in the same location and name so it can be used by the same workloads.
JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "SECRET_HYGINE"
correlationGuid: "NTR-150716"
creationDate: "2024-09-22T16:01:21.330Z"
customData: [{label: "Secret path", value: "us-east-1/entro/connector/demoentro"},…]
customerId: 34
data: null
description: "If not rotated, secrets with high privileges can be abused unintentionally or by malicious actors. For example, these secrets can be used to destroy or delete data, create more backdoor secrets with high privileges and attack your organization endlessly."
destination: "AWS_ACCESS_KEY_ID"
guid: "RSK-8588"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 40287
isArchived: false
key: "ROTATE-SEC-1429"
linkedElements: ["SEC-1429"]
logChangeType: null
modifyDate: "2024-09-23T00:04:47.780Z"
name: "Secret last rotation is longer than 90 days"
occurrences: ["AWS_SECRETS_MANAGER"]
owner: "sam-entro-onboarding-CreateConnectorFunction"
ownerAiObject: null
ownerUid: null
path: "us-east-1/entro/connector/demoentro"
ruleCode: "SECRET_ROTATION"
scanId: 1719638
severity: "LOW"
source: "AWS"
status: "OPEN"
tags: ["SOC2", "qa"]
tasks: [{customerId: 34, riskId: 40287, type: "ROTATE_TOKEN", level: "HARD",…},…]
type: "ROTATE"
Linked Element (Vaulted Secret) JSON
accessorsPolicies: {,…}
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
azureSecretType: null
correlationGuid: "NTR-150716"
creatorsPolicies: {,…}
customerId: 34
devices: [{role: "sam-entro-onboarding-CreateConnectorFunction", region: "us-east-1",…}]
errors: []
guid: "SEC-1429"
isActive: false
isArchived: false
isIdle: true
lastAccsesTime: "2024-06-26T14:22:53.868Z"
liminalCreationDate: "2024-06-20T15:45:30.972Z"
liminalModifyDate: "2024-10-31T13:49:36.236Z"
modifiersPolicies: {,…}
origin: "AWS_ACCESS_KEY_ID"
owner: "sam-entro-onboarding-CreateConnectorFunction"
ownerAiObject: {similarity: 1, ownerItemType: "username", elementItemType: "username",…}
ownerUid: "c16f7cee-c366-4b28-8af9-e9a416222d7d"
riskSeverity: "LOW"
scanId: 3055886
secretArn: "arn:aws:secretsmanager:us-east-1:116849364939:secret:entro/connector/demoentro-oCImA4"
secretCreationDate: "2024-06-20T15:16:39.471Z"
secretCreatorJSON: "{\"username\":\"sam-entro-onboarding-CreateConnectorFunction\",\"userArn\":\"arn:aws:sts::116849364939:assumed-role/sam-entro-onboarding-CreateConnectorFunctionRole/sam-entro-onboarding-CreateConnectorFunction\",\"sourceIP\":\"3.236.95.90\",\"accessTime\":\"2024-06-20T15:16:39.000Z\",\"userAgent\":\"aws-sdk-go-v2/1.26.1 os/linux lang/go#1.22.0 md/GOOS#linux md/GOARCH#amd64 api/secretsmanager#1.28.1\",\"eventName\":\"CreateSecret\"}"
secretLastAccessorJSON: "null"
secretLastModifierJSON: "null"
secretModifiedDate: "2024-06-20T15:16:39.500Z"
secretName: "entro/connector/demoentro"
secretObject: {,…}
secretRotationDate: "2024-06-20T15:16:39.495Z"
secretStore: "us-east-1"
secretTotalAccess: 0
secretTotalAccessors: 0
secretTotalIp: 0
secretTotalUserAgent: 0
secretVersion: "cb0f2f66-e1aa-4c06-baa7-6eea084780ab"
state: null
tags: {tags: []}
uid: "d34663aa-616a-4f13-880b-df13a99f3f6f"
vaultName: "us-east-1"
vaultPermissions: {}
versionCount: 1