What should the developer do to meet these requirements?
Configure an AWS CloudTrail log file delivery to an Amazon S3 bucket. Create an Amazon CloudWatch alarm for the GetSecretValue Secrets Manager API operation requests.
Create a secretsmanager-secret-unused AWS Config managed rule. Create an Amazon EventBridge rule to initiate notifications when the AWS Config managed rule is met.
Deactivate the applications secrets and monitor the applications error logs temporarily.
Configure AWS X-Ray for the applications. Create a sampling rule to match the GetSecretValue Secrets Manager API operation requests.
Explanations:
Configuring AWS CloudTrail to log GetSecretValue API requests can help track which secrets are being accessed, but it does not directly notify the developer about the usage of secrets in a real-time manner or provide a straightforward way to identify unused secrets. Additionally, relying solely on CloudTrail logs may result in delays in obtaining usage information.
Creating asecretsmanager-secret-unusedAWS Config managed rule allows the developer to monitor the usage of secrets over time and get notified when secrets are unused. This approach is proactive and integrates well with AWS services, ensuring that the developer can identify and manage secrets without causing application downtime.
Deactivating application secrets could lead to application errors and downtime as applications may rely on those secrets for operation. Monitoring error logs would not provide a reliable method for identifying all unused secrets without impacting the application’s functionality.
While AWS X-Ray can provide insights into application performance and trace requests, using it to create a sampling rule for GetSecretValue API requests may not be the best approach. This option does not focus on identifying unused secrets effectively and may also introduce complexity without guaranteed results.