How to Find and Delete Unused AWS Secrets

The AWS Secrets Manager makes it easy to create and store secrets, so you can reference them via API call instead of including them in your actual code.

There is still some basic maintenance you should do to make sure you are lowering your security risk and cloud costs. Each secret in AWS costs $0.40/month, including the same rate per replica. If you have unused secrets, they could be a waste of money and a security liability. It’s better to delete them when you are sure they are not being used. 

In this guide, we’ll show you how you can find unused AWS secrets and delete them.

Blink Automation: Find Unused AWS Secrets and Schedule Removal

Blink + AWS

Try This Automation

How to Find Unused AWS Secrets in Your Account

You can use either the AWS console or the AWS CLI for this task.

Using the AWS Console:

1. First, navigate to the AWS Secrets Manager section in the Console..
2. You will see a list of your secrets, with a Description and Last retrieved field.
3. To view secrets in other regions, change the region selected in the top-right navigation.
4. Take note of all Secrets with a Last retrieved date beyond a certain number of days. It’s up to you what threshold to use (60, 90, 120 days, etc.).

Using the AWS CLI:

To find all secrets in your account using AWS CLI, you can run this list-secrets command:

aws secretsmanager list-secrets

Here’s an example output:

{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
            "Name": "DemoSecret1",
            "LastChangedDate": 1523477145.729,
            "SecretVersionsToStages": {
                "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111": [
                    "AWSCURRENT"
                ]
            }
        },
        {
            "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:AnotherSecret-d4e5f6",
            "Name": "DemoSecret2",
            "LastChangedDate": 1523482025.685,
            "SecretVersionsToStages": {
                "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222": [
                    "AWSCURRENT"
                ]
            }
        }
    ]
}

You can then check when a secret was last retrieved by running this describe-secret command:

aws secretsmanager describe-secret 
    --secret-id DemoSecret1

You’ll see an output that looks like this:

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-Ca8JGt",
    "Name": "DemoSecret1",
    "Description": "The secret we are using to demo",
    "KmsKeyId": "arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE",
    "RotationEnabled": true,
    "RotationLambdaARN": "arn:aws:lambda:us-west-2:123456789012:function:MyTestRotationLambda",
    "RotationRules": {
        "AutomaticallyAfterDays": 4,
        "Duration": "2h",
        "ScheduleExpression": "cron(0 16 1,15 * ? *)"
    },
    "LastRotatedDate": 1525747253.72,
    "LastChangedDate": 1523477145.729,
    "LastAccessedDate": 1524572133.25,
    "Tags": [
        {
            "Key": "SecondTag",
            "Value": "AnotherValue"
        },
        {
            "Key": "FirstTag",
            "Value": "SomeValue"
        }
    ],
    "VersionIdsToStages": {
        "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111": [
            "AWSPREVIOUS"
        ],
        "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222": [
            "AWSCURRENT"
        ],
        "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333": [
            "AWSPENDING"
        ]
    },
    "CreatedDate": 1521534252.66,
    "PrimaryRegion": "us-west-2",
    "ReplicationStatus": [
        {
            "Region": "eu-west-1",
            "KmsKeyId": "alias/aws/secretsmanager",
            "Status": "InSync",
            "StatusMessage": "Replication succeeded"
        }
    ]
}

The "LastAccessedDate" field will answer how long it’s been since the secret was retrieved. You can use a timestamp converter like this one to see the actual date.

How to Schedule an AWS Secret to be Deleted

To do so, you can use AWS Console or AWS CLI as follows:

Using the AWS Console:

1. Open the AWS Secrets Manager console and choose which secret you wish to delete.
2. Scroll down to the Replicate secret section. Before you can delete a Primary secret, you must first delete the replica secrets. If there are no replicas in this section, you can move on to the next step. If there are replica secrets here, select them and click Actions in the top-right corner of that section, then click Delete Replica. Replica secrets are deleted immediately with no waiting period.
3. Scroll up to the Secrets Do to Secret details section, choose Actions, and then click Delete secret.
4. You can specify the number of days you want AWS Secret Manager to wait before it permanently deletes the Secret by inputting a value under Waiting period for the Disable secret and schedule deletion prompt. Based on this, AWS Secrets Manager will attach a DeletionDate file that is the current date and time, plus the number of specified waiting days.
5. Select Schedule deletion.

If you need to restore a secret during the recovery window, you can click the Preferences icon next to the list of secrets and apply Show disabled secrets. Then, select the secret you want to recover and click Cancel deletion in the Secret details section.

Using the AWS CLI:

1. Deleting a secret replicated to other regions requires you to first remove its replicas with the remove-regions-from-replication command:

aws secretsmanager remove-regions-from-replication
   --secret-id DemoSecret1
   --remove-replica-regions eu-west-1

These replica secrets will be removed immediately.

2. Next, you can delete the primary secret using the delete-secret command.

To delete a secret with a preset recovery window, you can include the --recovery-window-in-days flag with a certain value:

aws secretsmanager delete-secret
   --secret-id DemoSecret1
   --recovery-window-in-days 7

You can also choice to delete a secret immediately:

aws secretsmanager delete-secret 
   --secret-id DemoSecret1
   --force-delete-without-recovery

Deleting a secret immediately results in permanent deletion. If you set up a recovery window instead, then you can still restore the secret during that window. 

You can restore a secret with this command:

aws secretsmanager restore-secret
   --secret-id DemoSecret1

Now, you know how to clean up unused secrets across your AWS regions.

Automate the Detection and Deletion of Unused AWS Secrets with Blink

The steps to find unused secrets and remove them are not hard, but when you are operating in multiple regions and you want to conduct this check regularly, it becomes a manual, time-consuming chore.

Instead of running this ad hoc and doing it yourself, you can use automation to run checks like this and notify you when there are secrets that are eligible for deletion due to inactivity.

With Blink, you can run this automation to survey your AWS account across regions and send a report of unused secrets to a designated email address.

When this automation runs, it executes the following actions:

1. Checks whether there are secrets in the AWS Secrets Manager that have not been used in a certain number of days.
2. Sends a report with the results via email.

You can import this automation from the Blink library and customize it however you like. For example, you could send a weekly Slack notification with a report on AWS secrets that haven’t been used in 90 days, with the ability to approve their deletion.

In Blink, you can also create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.

Get started with Blink today to see how easy automation can be.