Allow AWS::SecretsManager::Secret grace period

[Onolisk]

trafficstars

Name of the resource

AWS::SecretsManager::Secret

Resource name

No response

Description

Currently the default deletionpolicy for an AWS::SecretsManager::Secret resource is force-delete-without-recovery [1].

This means that the deletion "grace period" [2] cannot be used when managing your secrets via CFN. This functionality is inconsistent with other resources types, such as AWS::KMS::Key which allows a grace period (via pending window) and provides a property for customizing the duration.

I understand that CFN needs to force delete the secret to avoid lingering artifacts after stack termination, the same requirement however does not appear to apply to the KMS key. Therefore, a possible solution would be to update the CFN resource handler for AWS::SecretsManager::Secret to not force delete the secret on resource termination, and instead export the resource at resource termination.

Issues this solution may cause:

1. Naming conflicts from recently deleted resources/stacks and their secret names
2. Potential security impact of changing the default behavior, which would now allow secrets to be recovered after stack deletion

Interested to hear your thoughts.

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html [2] https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html [3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-pendingwindowindays

Other Details

No response