How to Find and Delete AWS CLI Secrets Immediately
Learn how to find and delete unused AWS CLI secrets to reduce costs and enhance security. Follow our step-by-step guide to optimize your AWS account.
Patrick Londa
Author
Jan 3, 2023
•
6
min read
Share this post
The AWS Secrets Manager makes it easy to create and store secrets, so you can reference them via API call instead of including them in your actual code.
There is still some basic maintenance you should do to make sure you are lowering your security risk and cloud costs. Each secret in AWS costs $0.40/month, including the same rate per replica. If you have unused secrets, they could be a waste of money and a security liability. It’s better to delete them when you are sure they are not being used.
In this guide, we’ll show you how you can find unused AWS secrets and delete them.
Blink Automation: Find Unused AWS Secrets and Schedule Removal
The "LastAccessedDate" field will answer how long it’s been since the secret was retrieved. You can use a timestamp converter like this one to see the actual date.
How to Schedule an AWS Secret to be Deleted
To do so, you can use AWS Console or AWS CLI as follows:
Using the AWS Console:
Open the AWS Secrets Manager console and choose which secret you wish to delete.
Scroll down to the Replicate secret section. Before you can delete a Primary secret, you must first delete the replica secrets. If there are no replicas in this section, you can move on to the next step. If there are replica secrets here, select them and click Actions in the top-right corner of that section, then click Delete Replica. Replica secrets are deleted immediately with no waiting period.
Scroll up to the Secrets Do to Secret details section, choose Actions, and then click Delete secret.
You can specify the number of days you want AWS Secret Manager to wait before it permanently deletes the Secret by inputting a value under Waiting period for the Disable secret and schedule deletion prompt. Based on this, AWS Secrets Manager will attach a DeletionDate file that is the current date and time, plus the number of specified waiting days.
Select Schedule deletion.
If you need to restore a secret during the recovery window, you can click the Preferences icon next to the list of secrets and apply Show disabled secrets. Then, select the secret you want to recover and click Cancel deletion in the Secret details section.
Using the AWS CLI:
Deleting a secret replicated to other regions requires you to first remove its replicas with the remove-regions-from-replication command:
Deleting a secret immediately results in permanent deletion. If you set up a recovery window instead, then you can still restore the secret during that window.
Now, you know how to clean up unused secrets across your AWS regions.
Automate the Detection and Deletion of Unused AWS Secrets with Blink
The steps to find unused secrets and remove them are not hard, but when you are operating in multiple regions and you want to conduct this check regularly, it becomes a manual, time-consuming chore.
Instead of running this ad hoc and doing it yourself, you can use automation to run checks like this and notify you when there are secrets that are eligible for deletion due to inactivity.
With Blink, you can run this automation to survey your AWS account across regions and send a report of unused secrets to a designated email address.
When this automation runs, it executes the following actions:
Checks whether there are secrets in the AWS Secrets Manager that have not been used in a certain number of days.
Sends a report with the results via email.
You can import this automation from the Blink library and customize it however you like. For example, you could send a weekly Slack notification with a report on AWS secrets that haven’t been used in 90 days, with the ability to approve their deletion.
In Blink, you can also create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.