AWS secretsmanager medium security documentation change
Summary
Updated IP restriction guidance to recommend using AWS-managed prefix lists instead of static IP ranges for external secrets rotation
Security assessment
The change addresses potential security gaps by replacing static IP allowlisting with dynamic prefix lists that automatically update, reducing the risk of rotation failures due to outdated IP ranges which could lead to credential exposure or service disruption.
Diff
diff --git a/secretsmanager/latest/userguide/mes-security.md b/secretsmanager/latest/userguide/mes-security.md index 332b906d1..dff1554d9 100644 --- a//secretsmanager/latest/userguide/mes-security.md +++ b//secretsmanager/latest/userguide/mes-security.md @@ -15 +15,3 @@ For rotation to function properly, you must provide Secrets Manager with specifi -You can restrict the IP ingress to your external resource by only allowing the [AWS IP ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html) for EC2 in the region where your secret exists. This list of IP ranges can change so you should refresh your ingress rules periodically. +You can restrict the IP ingress to your external resource by only allowing the Secrets Manager managed external secrets [AWS-managed prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) in the region where your secret exists. The prefix list is named `com.amazonaws.`region`.secretsmanager-managed-external-secrets`, where `region` is the AWS Region of your secret. Using the managed prefix list ensures your ingress rules automatically stay current as the underlying IP ranges change. + +If you prefer to reference the prefix list programmatically, you can use the [GetManagedPrefixListEntries](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetManagedPrefixListEntries.html) API to list the IPs that need to be allowlisted. You should periodically refresh your ingress rules with this prefix list to keep them current.