WKLD.05 – Detect and remediate exposed secrets

In WKLD.03 – Use ephemeral secrets or a secrets-management service and WKLD.04 – Prevent application secrets from being exposed, you put measures in place to protect secrets. In this control, you deploy a solution that can detect if secrets have bypassed these prevention measures, and you can remediate accordingly.

Amazon CodeGuru Reviewer detects application secrets in source code and provides a mechanism to remediate and publish the detected secrets in Secrets Manager. Application code for retrieving the secret from Secrets Manager is also provided. Conduct a cost-benefit analysis to determine if this solution is right for your business. As an alternative, some of the open-source solutions in WKLD.04 – Prevent application secrets from being exposed provide detection capability for existing secrets.

To set up CodeGuru Reviewer integration with Secrets Manager

Use CodeGuru Reviewer to identify hardcoded secrets and AWS Secrets Manager to secure them (AWS blog post and guided walkthrough).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.04 – Protect application secrets

WKLD.06 – Use Systems Manager instead of SSH or RDP