CSMS Secretes Are Rotated
Rule Details
Parameter |
Description |
---|---|
Rule Name |
csms-secrets-rotation-success-check |
Identifier |
CSMS Secretes Are Rotated |
Description |
If a CSMS secret fails to be rotated, this secret is non-compliant. |
Tag |
csms |
Trigger Type |
Configuration change |
Filter Type |
csms.secrets |
Rule Parameters |
None |
Application Scenarios
After enabling rotation for a secret, ensure that the rotation is successful. If the rotation fails, the following problems may occur:
- Credential leakage: Credentials that are not rotated for a long time are more likely to be obtained by attackers, increasing the possibility of data leakage or service abuse.
- Service interruption: If the rotation fails, the credential may expire, causing service interruption or application faults.
Solution
Check the reason why the rotation fails, for example, the KMS used by the secret is deleted or the permission is insufficient.
Rule Logic
- If the rotation is successful or not involved, the CSMS secret is compliant.
- If a CSMS secret fails to be rotated, this secret is non-compliant.
Constraints
This rule only checks whether scheduled rotation is successful, but does not check immediate rotations. This rule is subject to the real-time resource collection of Config. There may be a delay of up to 24 hours.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot