Configuration templates to create a secret using AWS Secrets Manager including options for cross-region replication, random password generation and custom KMS keys for encryption

This template creates a Secrets Manager rotation schedule for a secret. The secret is rotated every day between 1:00 AM and 3:00 AM UTC. The rotation is performed by a Lambda function.

This template creates a Secrets Manager rotation schedule for a secret. The secret is rotated every 10 days between midnight and 6:00 AM UTC. The rotation is performed by a Lambda function.

This template creates a Redshift cluster and a secret with credentials. The secret is configured to rotate on the first Sunday of every month between 4:00 AM and 6:00 AM UTC. The rotation is performed by a Lambda function.

This template creates a DocumentDB database instance and a secret with credentials. The secret is configured to rotate on the first Sunday of every month between 4:00 AM and 6:00 AM UTC. The rotation is performed by a Lambda function.

This template creates a Secrets Manager secret with a dynamically generated password. The secret value is constructed from a string template combined with a randomly generated password. The secret contains a username and password.

This template creates a Secrets Manager secret with a hardcoded password. The secret value is provided an CloudFormation parameter which is stored as a literal string in the secret.

This template creates a Secrets Manager secret and replicates it to two different regions. One region uses a customer managed key, while the other region uses the AWS managed key for Secrets Manager.

This template creates a Secrets Manager secret and an Amazon Redshift cluster. The secret contains the admin credentials for the Redshift cluster. The template uses the secret to define the database admin user and password for the Redshift cluster. It also includes a SecretTargetAttachment resource to configure the secret with the required database engine type and connection details.

This template creates a secret in AWS Secrets Manager and attaches a resource-based policy to it. The resource-based policy denies the 'DeleteSecret' action for all principals except the root user of the AWS account.

A config rule that checks whether AWS Secrets Manager secret has rotation enabled. The rule also checks an optional maximumAllowedRotationFrequency parameter.

A config rule that checks and verifies whether AWS Secrets Manager secret rotation has rotated successfully as per the rotation schedule.

A config rule that checks if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in ‘unusedForDays’ number of days. The default value is 90 days.

A config rule that if all secrets in AWS Secrets Manager are encrypted using an AWS Key Management Service (AWS KMS) customer master key (CMK). This rule is COMPLIANT if a secret is encrypted using an AWS KMS CMK. This rule is NON_COMPLIANT if a secret is encrypted using the default AWS KMS key.

Checks if AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.