Remove unused Secrets Manager secrets

Description

This control checks if an AWS Secrets Manager secret has been accessed within the last 90 days. The control will fail if the secret remains unused beyond this defined period.

Unused secrets may be exploited by individuals who no longer require access. Additionally, the more users that have access to a secret, the higher the risk that it could be mishandled or exposed to unauthorized parties. Removing unused secrets helps prevent access by users who no longer need it and can also reduce the costs associated with Secrets Manager. Regularly deleting unused secrets is a vital part of maintaining a secure environment.

Remediation

For guidance on deleting secrets, please refer to the Delete an AWS Secrets Manager secret section of the AWS Secrets Manager User Guide