🧠 SecreMind – Secret Lifecycle Intelligence for AWS
SecreMind helps teams discover, monitor, and manage secrets across AWS environments. It gives you visibility into secret rotation, expiration, and compliance with automated alerts and calendar-based reminders — deployable with a single Terraform apply.
🚀 Overview
SecreMind is a lightweight, event-driven AWS solution built with Terraform and Go. It scans AWS Secrets Manager, SSM Parameter Store, and KMS, collects metadata, and stores the results in an S3 + Glue + Athena data lake for analysis and automation.
🧩 Architecture Secrets Manager / SSM / KMS │ ▼ [Lambda: Scanner] │ ├──→ S3 (NDJSON metadata) ├──→ Glue Catalog + Athena Table ├──→ EventBridge Scheduler (daily) └──→ SNS / Email / Calendar (optional)
⚙️ Features (MVP) Feature Description 🔍 Secret Discovery Scans AWS Secrets Manager and SSM Parameter Store metadata 📦 Data Lake Stores daily NDJSON snapshots in S3 🧮 Athena + Glue Table Query and visualize secrets by age, rotation status, or region ⏰ EventBridge Schedule Daily automated scan of all secrets 📢 Notifications (optional) SNS/Slack alerts for stale or unrotated secrets 🗓️ Calendar Feed (optional) .ics file reminders for upcoming rotation deadlines 🧰 Developer Ready CLI and Terraform-first design 🧱 Components Component Language Purpose lambda/scanner Go Scans Secrets Manager and SSM for metadata and writes NDJSON to S3 terraform/ HCL Deploys S3, Glue, Athena, Lambda, IAM roles, and scheduler Makefile Bash Builds Lambda binary and zip build/ Artifact Compiled bootstrap binary and packaged zip for deployment 🔧 Quick Start
- Prerequisites
AWS CLI configured (aws configure)
Terraform ≥ 1.5
Go ≥ 1.22
Make
- Build the Lambda make build
This produces:
build/bootstrap build/scanner_linux_arm64.zip
- Deploy the infrastructure cd terraform terraform init terraform apply -auto-approve
Once deployed, Terraform will output:
S3 bucket name
Glue database and table
Lambda function name
- Trigger a manual scan
aws lambda invoke
--function-name $(terraform output -raw lambda_name)
--payload '{}'
/dev/stdout
Logs will show the written S3 object path.
- Query your data
Run in Athena:
SELECT source, name, arn, days_since_last_change, rotation_enabled FROM secrets_metadata ORDER BY days_since_last_change DESC LIMIT 20;
🧪 Sandbox Setup
For isolated testing, you can deploy SecreMind into a sandbox account:
Use account alias: secremind-sbx
Apply Terraform tag filters:
tags = { Project = "SecreMind" Env = "SBX" Owner = "Danny" }
Apply an AWS budget or service control policy to limit cost.
🔐 Security Notes
The scanner never reads secret values, only metadata.
The Lambda role includes only:
ListSecrets, DescribeSecret, ListSecretVersionIds
DescribeParameters
ListKeys, DescribeKey
Logs are retained for 14 days by default.
S3 data is encrypted with SSE-S3 (upgradeable to KMS).
🛠️ Project Roadmap Phase Deliverable ✅ 1 AWS Lambda scanner + Terraform infrastructure 🕓 2 Notifier Lambda for SNS/Slack alerts 🕓 3 ICS calendar generator Lambda 🕓 4 Cross-account scanning via AssumeRole 🕓 5 CLI + QuickSight dashboards 🕓 6 AWS Marketplace packaging 📁 Directory Structure secremind/ ├── lambda/ │ └── scanner/ │ ├── go.mod │ └── main.go ├── terraform/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── build/ ├── Makefile └── README.md
🧰 Make Targets Command Description make build Builds Lambda binary and zip make clean Removes build artifacts terraform apply Deploys infrastructure aws lambda invoke Manually trigger scan 🧑💻 Example Output
Sample NDJSON written to S3:
{ "source": "secretsmanager", "name": "prod/app/db_password", "arn": "arn:aws:secretsmanager:eu-west-1:123456789012:secret:prod/app/db_password-abc123", "created_ts": "2025-10-13T09:21:00Z", "last_changed_ts": "2025-10-10T08:00:00Z", "rotation_enabled": true, "days_since_last_change": 3, "region": "eu-west-1", "account_id": "123456789012" }
🧠 Future Enhancements
🔄 Automatic rotation enforcement via Lambda trigger
🧾 Compliance reports (JSON/CSV)
📅 Google Calendar / Outlook integration
🔍 CLI (secremind list --stale)
🌍 Multi-account Organization aggregation
🧑💼 Author
Sandor Daniel Molnar AWS Consultant & Platform Engineer London, UK github.com/danny-molnar
🧾 License
MIT License © 2025 Sandor Daniel Molnar