These rules flag forgotten secrets sitting in Secrets Manager that no application has accessed in months.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-SECRETSMANAGER-1 | Discovery | Secrets Manager Secret Unused |
CLDBRN-AWS-SECRETSMANAGER-1
Secrets Manager Secret Unused
Scan type: Discovery
What it checks
Flags Secrets Manager secrets that have not been accessed for more than 90 days, or that have never been accessed at all. Unused secrets indicate credentials or configuration values that no running application retrieves.
Why it matters
Secrets Manager charges $0.40 per secret per month. A handful of forgotten secrets may seem trivial, but teams that provision secrets for every environment and experiment often accumulate dozens over time. Beyond cost, unused secrets are a security liability: stale credentials that nobody monitors are prime targets for credential compromise.
What triggers a finding
Either of these conditions:
- The secret has no
lastAccessedDate(it was created but never retrieved) - The
lastAccessedDateis more than 90 days in the past
How to remediate
- Verify the secret is truly unused by checking CloudTrail for
GetSecretValueevents - If the secret backs a decommissioned application, delete it:
# Schedule deletion with 7-day recovery window
aws secretsmanager delete-secret \
--secret-id my-old-secret \
--recovery-window-in-days 7
- If the secret is still needed but accessed infrequently, consider whether SSM Parameter Store (SecureString) would be a cheaper alternative at $0.05 per 10,000 API calls with no per-parameter charge
See Also
- CLI discover command - scan live Secrets Manager resources
- SDK Reference - run discovery programmatically