WKLD.05 Detect and remediate exposed secrets
In WKLD.03 Use ephemeral secrets or a secrets-management service and WKLD.04 Prevent application secrets from being exposed, you put measures in place to protect secrets. In this control, you set up tooling to detect secrets that were accidentally committed or exposed, and take action to revoke or rotate them.
An exposed secret can be exploited and risks unauthorized access to your AWS resources and data. Rotate or revoke it immediately after detection.
Scan code repositories regularly for accidentally committed secrets. Use Kiro CLI
To detect exposed secrets using Kiro CLI
-
Install Kiro CLI in your development environment. For more information, see Kiro CLI
in the Kiro documentation. -
Configure Kiro CLI to scan your code repositories, focusing on high-risk repositories such as production or public-facing code.
-
Schedule regular scans. Consider daily scans for production repositories and weekly scans for development repositories.
-
Review scan results and identify any exposed secrets.
To remediate exposed secrets
-
Rotate or revoke the exposed secret immediately in the originating service (for example, regenerate an API key or reset a password).
-
Create a new secret in AWS Secrets Manager or AWS Systems Manager Parameter Store.
-
Update your applications to retrieve the new secret from the secure storage service.
-
Remove the exposed secret from your code repository history by using
git filter-repo.
The open-source tools listed in WKLD.04 can also detect secrets that are already present in your repository.
Note
Kiro CLI is available at no charge under the Free tier. For more information, see
Kiro pricing
