Using SNS to Notify of Secret Expiration

Question

My organization manages passwords in Secrets Manager that give us access to an external vendors' services. We want to rotate these passwords ourselves manually since we receive the passwords from the external vendor. Thus, we cannot allow AWS to manage the rotation of these passwords for us. Is there a way to "tag" a secret with an expiration date and send an email notification over AWS SNS when we are within 128 days of that expiration date?

Accepted Answer

You can use the usual tags on a secret. https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html#

You could set a date of when the password was last changed than when it’s due to expire and then using a lambda function which can run via an event Bridge cron schedule, have it enumerate all secrets in question and check the last changed date and carry out a date diff from password last changed to today’s date is greater than X days then create message in sns which in turn is sent to a subscriber.

This way you can easily change the duration in your lambda because it’s based on X days since last changed if your password policy ever changes .

You could also obtain the date of the secret was last updated too. That’s another option than using tags.

Using SNS to Notify of Secret Expiration

관련 콘텐츠