Configuring AWS Config Secrets Manager rules - AWS Secrets Manager

Configuring AWS Config Secrets Manager rules


If using the AWS Config console for the first time, see Setting Up AWS Config (Console).

The Rules page provides initial AWS managed rules you can add to your account. After set up, AWS Config evaluates your AWS Secrets Manager resources against your selected rules. You can update the rules and create additional managed rules after set up.

  1. Log into the AWS Config console at

  2. Choose Settings. Be sure you enable the parameter Recording is on.

  3. Choose Rules.

  4. In the Rules section, choose Add Rule.

  5. Type secretsmanager-rotation-enabled-check in the filter field.

  6. To configure the secretsmanager-rotation-enabled-check rule, choose Rules from the console panel, and then choose Add rule.

  7. Locate the rule, secretsmanager-rotation-enabled-check using the search function.

  8. Create a unique name for the rule such as MySecretsRotationRule.

  9. Specify a Remedial Action to receive notification about noncompliant secrets using a Amazon SNS topic.

  10. Specify a topic for the Amazon SNS notification.

  11. Choose Save to store the rule in AWS Config

Once you save the rule, AWS Config evaluates your secrets every time the metadata of a secret changes. If changes occur, you receive an Amazon SNS notification about noncompliant secrets. You can also view the results from the Rules or Dashboard of AWS Config.

If you choose the secretsmanager-rotation-check-mySecretsRotationRule from the list of rules, then AWS Config displays a list of secrets in your account not configured for rotation. Because you identified the secrets, you can begin implementation of your best practices for secret rotation.