library
turbot/aws_thrifty

Detect & correct SecretsManager secrets if unused

SecretsManager secrets have an inherent monthly cost, therefore secrets which are no longer accessed / used should be removed to prevent further charges.

This query trigger detects unused secrets and then either sends a notification or attempts to perform a predefined corrective action.

Getting Started

By default, this trigger is disabled, however it can be configred by setting the below variables

  • secretsmanager_secrets_if_unused_trigger_enabled should be set to true as the default is false.
  • secretsmanager_secrets_if_unused_trigger_schedule should be set to your desired running schedule
  • secretsmanager_secrets_if_unused_default_action should be set to your desired action (i.e. "notify" for notifications or "delete_secret" to delete the secret).

Then starting the server:

flowpipe server

or if you've set the variables in a .fpvars file:

flowpipe server --var-file=/path/to/your.fpvars

Query

select
concat(name, ' [', region, '/', account_id, ']') as title,
name,
region,
_ctx ->> 'connection_name' as cred
from
aws_secretsmanager_secret
where
date_part('day', now() - last_accessed_date) > 90 :: int

Schedule

15m