AWS secretsmanager high security documentation change
Summary
Updated documentation for Lambda rotation functions with clarified terminology, added security guidance about logging practices, and emphasized direct rotation requirements
Security assessment
Added explicit warning about sensitive information in CloudWatch logs and security restriction preventing secondary Lambda invocations. Directly addresses potential information leakage and limits attack surface by prohibiting chained Lambda calls.
Diff
diff --git a/secretsmanager/latest/userguide/rotate-secrets_lambda-functions.md index c3dcc8347..943d38116 100644 --- a/secretsmanager/latest/userguide/rotate-secrets_lambda-functions.md +++ b/secretsmanager/latest/userguide/rotate-secrets_lambda-functions.md @@ -9 +9 @@ Four steps in a rotation function -In [Rotation by Lambda function](./rotate-secrets_lambda.html), a Lambda function does the work of rotating the secret. Secrets Manager uses [staging labels](./whats-in-a-secret.html) to label secret versions during rotation. +In [Rotation by Lambda function](./rotate-secrets_lambda.html), an AWS Lambda function rotates the secret. AWS Secrets Manager uses [staging labels](./whats-in-a-secret.html) to identify secret versions during rotation. @@ -11 +11 @@ In [Rotation by Lambda function](./rotate-secrets_lambda.html), a Lambda functio -If Secrets Manager doesn't provide a [rotation function template](./reference_available-rotation-templates.html) for your type of secret, you can create a rotation function. When writing a rotation function, follow the guidance for each step. +If AWS Secrets Manager doesn't provide a [rotation function template](./reference_available-rotation-templates.html) for your secret type, you can create a custom rotation function. Follow these guidelines when writing your rotation function: @@ -13 +13 @@ If Secrets Manager doesn't provide a [rotation function template](./reference_av -###### Tips for writing your own rotation function +###### Best practices for custom rotation functions @@ -15 +15 @@ If Secrets Manager doesn't provide a [rotation function template](./reference_av - * Use the [generic rotation template](./reference_available-rotation-templates.html#OTHER_rotation_templates) as a starting point to write your own rotation function. + * Use the [generic rotation template](./reference_available-rotation-templates.html#OTHER_rotation_templates) as a starting point. @@ -17 +17 @@ If Secrets Manager doesn't provide a [rotation function template](./reference_av - * As you write your function, be cautious about including debugging or logging statements. These statements can cause information in your function to be written to Amazon CloudWatch, so you need to make sure the log doesn't include any sensitive information collected during development. + * Be cautious with debugging or logging statements. They can write information to Amazon CloudWatch Logs. Ensure logs don't contain sensitive information. @@ -19 +19 @@ If Secrets Manager doesn't provide a [rotation function template](./reference_av -For examples of log statements, see the [AWS Secrets Manager rotation function templates](./reference_available-rotation-templates.html) source code. +For log statement examples, see the [AWS Secrets Manager rotation function templates](./reference_available-rotation-templates.html) source code. @@ -21 +21 @@ For examples of log statements, see the [AWS Secrets Manager rotation function t - * For security, Secrets Manager only permits a Lambda rotation function to rotate the secret directly. The rotation function can't call a second Lambda function to rotate the secret. + * For security, AWS Secrets Manager only allows a Lambda rotation function to rotate the secret directly. The rotation function can't call another Lambda function to rotate the secret. @@ -23 +23 @@ For examples of log statements, see the [AWS Secrets Manager rotation function t - * For debugging suggestions, see [Testing and debugging serverless applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-test-and-debug.html). + * For debugging guidance, see [Testing and debugging serverless applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-test-and-debug.html). @@ -25 +25 @@ For examples of log statements, see the [AWS Secrets Manager rotation function t - * If you use external binaries and libraries, for example to connect to a resource, you must manage patching them and keeping them up-to-date. + * If you use external binaries and libraries, for example to connect to a resource, you're responsible for patching and updating them. @@ -27 +27 @@ For examples of log statements, see the [AWS Secrets Manager rotation function t - * Save your rotation function in a ZIP file `my-function.zip` along with any required dependencies. + * Package your rotation function and any dependencies in a ZIP file, such as `my-function.zip`. @@ -62 +62 @@ The method `create_secret` first checks if a secret exists by calling [`get_secr -### `set_secret`: Change the credentials in the database or service +### **set_secret** : Change the credentials in the database or service @@ -83 +83 @@ The method `set_secret` changes the credential in the database or service to mat -### `test_secret`: Test the new secret version +### **test_secret** : Test the new secret version @@ -87 +87 @@ Next, the Lambda rotation function tests the `AWSPENDING` version of the secret -### `finish_secret`: Finish the rotation +### **finish_secret** : Finish the rotation @@ -91 +91 @@ Finally, the Lambda rotation function moves the label `AWSCURRENT` from the prev -The method `finish_secret` uses [`update_secret_version_stage`](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.update_secret_version_stage) to move the staging label `AWSCURRENT` from the previous secret version to the new secret version. Secrets Manager automatically adds the `AWSPREVIOUS` staging label to the previous version, so that you retain the last known good version of the secret. +The method **finish_secret** uses [`update_secret_version_stage`](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.update_secret_version_stage) to move the staging label `AWSCURRENT` from the previous secret version to the new secret version. Secrets Manager automatically adds the `AWSPREVIOUS` staging label to the previous version, so that you retain the last known good version of the secret.