You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to restore a secret, which allows the restoration of secrets that have been scheduled for deletion, since the minimum deletion period for secrets is 7 days and the maximum is 30 days. Together with the secretsmanager:GetSecretValue permission, this makes it possible to retrieve their contents.
58
+
59
+
To recover a secret that is in the process of being deleted, you can use the following command:
60
+
```bash
61
+
aws secretsmanager restore-secret \
62
+
--secret-id <Secret_Name>
63
+
```
64
+
65
+
## secretsmanager:DeleteResourcePolicy, DoS
66
+
67
+
This action allows deleting the resource policy that controls who can access a secret. This could lead to a DoS if the resource policy was configured to allow access to a specific set of users.
68
+
69
+
To delete the resource policy:
70
+
```bash
71
+
aws secretsmanager delete-resource-policy \
72
+
--secret-id <Secret_Name>
73
+
```
74
+
75
+
## secretsmanager:UpdateSecretVersionStage, DoS
76
+
77
+
The states of a secret are used to manage versions of a secret. AWSCURRENT marks the active version that applications use, AWSPREVIOUS keeps the previous version so that you can roll back if necessary, and AWSPENDING is used in the rotation process to prepare and validate a new version before making it the current one.
78
+
79
+
Applications always read the version with AWSCURRENT. If someone moves that label to the wrong version, the apps will use invalid credentials and may fail.
80
+
81
+
AWSPREVIOUS is not used automatically. However, if AWSCURRENT is removed or reassigned incorrectly, it may appear that everything is still running with the previous version.
0 commit comments