amazon-web-servicesaws-cloudformationaws-secrets-manager

AWS Secret Manager secret deleted without mandatory retention period


I created a secret using CloudFormation template that looked like this:

"DBSecretCredentials": {
   "Type": "AWS::SecretsManager::Secret",
   "Properties": {
      "Name": "MyAwesomeSecret",
      "Description": "Something",
      "GenerateSecretString": {
         "SecretStringTemplate": "{\"USER\":\"superman\"}",
         "GenerateStringKey": "PASSWORD",
         "PasswordLength": 30,
         "ExcludeCharacters": "\"@/\\"
      },
      "Tags": [
         {
            "Key": "AppName",
            "Value": "Something"
         },
         {
            "Key": "Environment",
            "Value": {
               "Ref": "Environment"
            }
         }
      ]
   }
}

When I deleted CloudFormation stack, I was expecting the secret to be there in "pending deletion" status with 7 days retention policy as that is what AWS mandates.

When I visited AWS Console, there was no secret with pending deletion mode. (Yes, I clicked on gear icon and checked "Show secrets scheduled for deletion" checkbox.

I queried AWS Secrets Manager using CLI to list all the secrets but it did not return the secret that was deleted as a result of CloudFormation Stack deletion.

Am I missing something here?


Solution

  • When a CloudFormation stack is deleted, Secrets Manager is called with the "force-delete-without-recovery" option and all secrets are deleted permanently. This is to enable CloudFormation to be able to delete each referenced secret without leaving artifacts in your account.