Audit secrets for compliance by using AWS Config - AWS Secrets Manager

Audit secrets for compliance by using AWS Config

You can use AWS Config to evaluate your secrets and assess how well they comply with your internal practices, industry guidelines, and regulations. You define your internal security and compliance requirements for secrets using AWS Config rules. Then AWS Config can identify secrets that don't conform to your rules. You can also track changes to secret metadata, rotation configuration, the KMS key used for secret encryption, the Lambda rotation function, and tags associated with a secret.

You can receive notifications from Amazon SNS about your secret configurations. For example, you can receive Amazon SNS notifications for a list of secrets not configured for rotation which enables you to drive security best practices for rotating secrets.

If you have secrets in multiple AWS accounts and AWS Regions in your organization, you can aggregate that configuration and compliance data.

Monitoring secrets with AWS Config is supported in all AWS Regions except Asia Pacific (Jakarta).

To add a new rule for your secrets

After you save the rule, AWS Config evaluates your secrets every time the metadata of a secret changes. You can configure AWS Config to notify you of changes. For more information, see Notifications that AWS Config sends to an Amazon SNS topic.

Aggregate secrets from your AWS accounts and AWS Regions

You can configure AWS Config Multi-Account Multi-Region Data Aggregator to review configurations of your secrets across all accounts and regions in your organization, and then review your secret configurations and compare to secrets management best practices.

You must enable AWS Config and the AWS Config managed rules specific to secrets across all accounts and regions before you create an aggregator. For more information, see Use CloudFormation StackSets to provision resources across multiple AWS accounts and Regions.

For more information about AWS Config Aggregator, see Multi-Account Multi-Region Data Aggregation and Setting Up an Aggregator Using the Console in the AWS Config Developer Guide.