Secrets Manager Secret Without Rotation
secrets-manager-rotation-missing
What this rule checks
Detects Secrets Manager secrets with no rotation schedule in the template — static credentials that never expire.
How to fix it
- 1Add a rotation schedule (secret.addRotationSchedule(...) in CDK)
- 2For database credentials, prefer RDS ManageMasterUserPassword
- 3If the secret cannot rotate by design, suppress this rule to record the decision
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
new secretsmanager.Secret(this, 'ApiKey');import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
const secret = new secretsmanager.Secret(this, 'ApiKey');
new secretsmanager.CfnRotationSchedule(this, 'Rotation', {
secretId: secret.secretArn,
rotationLambdaArn:
'arn:aws:lambda:eu-west-2:111122223333:function:rotate-api-key',
rotationRules: { automaticallyAfterDays: 30 },
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::SecretsManager::SecretAWS::SecretsManager::RotationScheduleIntentional? Suppress this finding
Sometimes a flag is deliberate — a genuinely public endpoint, say. You can dismiss secrets-manager-rotation-missing and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "secrets-manager-rotation-missing", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::secrets-manager-rotation-missing',
reason: 'Why this is intentional',
});Use the rule ID secrets-manager-rotation-missing shown above — not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs →
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 136+ other rules locally against your synthesised CDK app — free, no account, your code never leaves your machine.