Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Using SNS to Notify of Secret Expiration

0

My organization manages passwords in Secrets Manager that give us access to an external vendors' services. We want to rotate these passwords ourselves manually since we receive the passwords from the external vendor. Thus, we cannot allow AWS to manage the rotation of these passwords for us. Is there a way to "tag" a secret with an expiration date and send an email notification over AWS SNS when we are within 128 days of that expiration date?

Temas
Integración de aplicacionesSeguridad, identidad y cumplimiento
Etiquetas
Amazon Simple Notification Service (SNS)AWS Secrets Manager
Idioma
English
mgseaton
preguntada hace 9 meses934 visualizaciones
1 Respuesta
1
Respuesta aceptada

You can use the usual tags on a secret. https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html#

You could set a date of when the password was last changed than when it’s due to expire and then using a lambda function which can run via an event Bridge cron schedule, have it enumerate all secrets in question and check the last changed date and carry out a date diff from password last changed to today’s date is greater than X days then create message in sns which in turn is sent to a subscriber.

This way you can easily change the duration in your lambda because it’s based on X days since last changed if your password policy ever changes .

You could also obtain the date of the secret was last updated too. That’s another option than using tags.

profile picture
EXPERTO
Gary Mclean
respondido hace 9 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante