Updated on 2025-08-25 GMT+08:00

CSMS Secretes Are Rotated

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

csms-secrets-rotation-success-check

Identifier

CSMS Secretes Are Rotated

Description

If a CSMS secret fails to be rotated, this secret is non-compliant.

Tag

csms

Trigger Type

Configuration change

Filter Type

csms.secrets

Rule Parameters

None

Application Scenarios

After enabling rotation for a secret, ensure that the rotation is successful. If the rotation fails, the following problems may occur:

  • Credential leakage: Credentials that are not rotated for a long time are more likely to be obtained by attackers, increasing the possibility of data leakage or service abuse.
  • Service interruption: If the rotation fails, the credential may expire, causing service interruption or application faults.

Solution

Check the reason why the rotation fails, for example, the KMS used by the secret is deleted or the permission is insufficient.

Rule Logic

  • If the rotation is successful or not involved, the CSMS secret is compliant.
  • If a CSMS secret fails to be rotated, this secret is non-compliant.

Constraints

This rule only checks whether scheduled rotation is successful, but does not check immediate rotations. This rule is subject to the real-time resource collection of Config. There may be a delay of up to 24 hours.