By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using SNS to Notify of Secret Expiration

0

My organization manages passwords in Secrets Manager that give us access to an external vendors' services. We want to rotate these passwords ourselves manually since we receive the passwords from the external vendor. Thus, we cannot allow AWS to manage the rotation of these passwords for us. Is there a way to "tag" a secret with an expiration date and send an email notification over AWS SNS when we are within 128 days of that expiration date?

Topics
Application IntegrationSecurity, Identity, & Compliance
Tags
Amazon Simple Notification Service (SNS)AWS Secrets Manager
Language
English
mgseaton
asked 9 months ago879 views
1 Answer
1
Accepted Answer

You can use the usual tags on a secret. https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html#

You could set a date of when the password was last changed than when it’s due to expire and then using a lambda function which can run via an event Bridge cron schedule, have it enumerate all secrets in question and check the last changed date and carry out a date diff from password last changed to today’s date is greater than X days then create message in sns which in turn is sent to a subscriber.

This way you can easily change the duration in your lambda because it’s based on X days since last changed if your password policy ever changes .

You could also obtain the date of the secret was last updated too. That’s another option than using tags.

profile picture
EXPERT
Gary Mclean
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content