id: secrets-rotation-disabled

info:
  name: Secret Rotation Disabled
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets).
  impact: |
    Secret rotation disabled in AWS increases the risk of credential compromise and prolonged unauthorized access due to outdated or exposed secrets.
  remediation: |
    Enable automatic secret rotation in AWS Secrets Manager by configuring a rotation schedule and associating a Lambda function to periodically update and securely rotate the secrets.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/rotation-enabled.html
    - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/rotate-secret.html
  tags: cloud,devops,aws,amazon,secrets-manager,aws-cloud-config

variables:
  region: "us-west-2"

flow: |
  code(1)
  for(let SecretListName of iterate(template.secrets)){
    set("secretlist", SecretListName)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json

    extractors:
      - type: json
        name: secrets
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
        aws secretsmanager describe-secret --region $region --secret-id $secretlist --query 'RotationEnabled'

    matchers:
      - type: word
        words:
          - "false"

    extractors:
      - type: dsl
        dsl:
          - '"Secrets Rotation  " + secretlist + " is disabled"'
# digest: 4a0a00473045022100c17a44dd04ccb87127e129d486ed7cbe789ce7d504e4d70a29d18516a3fc6bd3022079a60b235e7942ba3d5fb3290ad0cf0a23e821e24efecf05bdb3f15bfaa46f15:922c64590222798bb761d5b6d8e72950