Exposure Scanner Scan My Account
Exposure Scanner / AWS Secrets Manager

Secrets Manager Exposure

Are your stored secrets accessible from outside your account?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod/database/primary
Secrets Manager resource policy allows secretsmanager:GetSecretValue from Principal: "*"
High
api-keys/payment-gateway
Secret has resource policy granting access to external AWS account 987654321012
Medium
prod/redis/connection
Secret does not have automatic rotation enabled - last manual rotation was 180 days ago

What does AWS Secrets Manager public exposure mean?

Secrets Manager resource policies can grant access to external AWS accounts or any principal. Overly permissive policies mean your database passwords, API keys, and other secrets could be retrieved by unauthorized parties.

Why it matters

Secrets Manager stores your most sensitive credentials. External access to these secrets is a direct path to data breaches, unauthorized API access, and infrastructure compromise.

How to check manually

  1. 1Review resource policies on each secret for external access
  2. 2Check for secrets with Principal: "*" in their policy
  3. 3Verify automatic rotation is enabled for supported secret types
  4. 4Review CloudTrail for GetSecretValue calls from unexpected sources

Quick check with AWS CLI

List all secrets and check for resource policies
aws secretsmanager list-secrets --query "SecretList[].{Name:Name,ARN:ARN}" --output text | xargs -I {} aws secretsmanager get-resource-policy --secret-id {} 2>/dev/null
Check rotation status for all secrets
aws secretsmanager list-secrets --query "SecretList[].{Name:Name,RotationEnabled:RotationEnabled,LastRotated:LastRotatedDate}"
Check a specific secret's resource policy
aws secretsmanager get-resource-policy --secret-id YOUR_SECRET_NAME --query "ResourcePolicy"

Common misconfigurations

Resource policy granting access to external accounts
Secrets without automatic rotation configured
Overly broad IAM policies allowing access to all secrets
Secrets not encrypted with a customer-managed KMS key

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

AWS IAM
Are your IAM policies granting access more broadly than intended?
AWS KMS
Are your encryption keys accessible from outside your account?
Amazon RDS
Are your RDS databases publicly accessible from the internet?