prowler-cloud
diff --git a/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎prowler/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎prowler/config/config.yaml‎
Lines changed: 3 additions & 0 deletions b/‎prowler/config/config.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/__init__.py‎ b/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/__init__.py‎
diff --git a/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/secretmanager_secret_rotation_enabled.metadata.json‎
Lines changed: 40 additions & 0 deletions b/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/secretmanager_secret_rotation_enabled.metadata.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/secretmanager_secret_rotation_enabled.py‎
Lines changed: 83 additions & 0 deletions b/‎prowler/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/secretmanager_secret_rotation_enabled.py‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎prowler/providers/gcp/services/secretmanager/secretmanager_service.py‎
Lines changed: 7 additions & 0 deletions b/‎prowler/providers/gcp/services/secretmanager/secretmanager_service.py‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎tests/providers/gcp/gcp_provider_test.py‎
Lines changed: 1 addition & 0 deletions b/‎tests/providers/gcp/gcp_provider_test.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/__init__.py‎ b/‎tests/providers/gcp/services/secretmanager/secretmanager_secret_rotation_enabled/__init__.py‎
@@ -14,6 +14,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `cloudfunction_function_inside_vpc` check for GCP provider, verifying Cloud Functions have a Serverless VPC Access connector for private egress [(#11021)](https://github.com/prowler-cloud/prowler/pull/11021)
 - `cloudfunction_function_not_publicly_accessible` check for GCP provider, detecting Cloud Functions with `allUsers` or `allAuthenticatedUsers` IAM invocation bindings [(#11022)](https://github.com/prowler-cloud/prowler/pull/11022)
 - `secretmanager_secret_not_publicly_accessible` check for GCP provider, detecting Secret Manager secrets with public IAM bindings [(#11025)](https://github.com/prowler-cloud/prowler/pull/11025)
+- `secretmanager_secret_rotation_enabled` check for GCP provider, verifying Secret Manager secrets have automatic rotation configured within 90 days [(#11026)](https://github.com/prowler-cloud/prowler/pull/11026)
 - `identity_storage_service_level_admins_scoped` check for OCI provider CIS 3.1 control 1.15, ensuring storage service-level administrators exclude delete permissions [(#11523)](https://github.com/prowler-cloud/prowler/pull/11523)
 - `cosmosdb_account_automatic_failover_enabled` check for Azure provider [(#11031)](https://github.com/prowler-cloud/prowler/pull/11031)
 - `cosmosdb_account_backup_policy_continuous` check for Azure provider [(#11032)](https://github.com/prowler-cloud/prowler/pull/11032)
 
@@ -582,6 +582,9 @@ gcp:
   # GCP Storage Sufficient Retention Period
   # gcp.cloudstorage_bucket_sufficient_retention_period
   storage_min_retention_days: 90
+  # GCP Secret Manager Rotation Period
+  # gcp.secretmanager_secret_rotation_enabled
+  secretmanager_max_rotation_days: 90
 
 # Kubernetes Configuration
 kubernetes:
 
@@ -0,0 +1,40 @@
+{
+  "Provider": "gcp",
+  "CheckID": "secretmanager_secret_rotation_enabled",
+  "CheckTitle": "Secret Manager secret is rotated every 90 days or less",
+  "CheckType": [],
+  "ServiceName": "secretmanager",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "secretmanager.googleapis.com/Secret",
+  "Description": "Secret Manager secrets have **automatic rotation** configured with a rotation period of `90` days or less and the next scheduled rotation has not been missed.\n\nThe evaluation reviews each secret's `rotation` settings to confirm both the period and the upcoming rotation time are within bounds.",
+  "Risk": "Without timely rotation, a leaked or compromised secret remains valid indefinitely, eroding **confidentiality** and widening the **blast radius** of any credential exposure. Stale secrets also bypass periodic re-authorization controls expected by frameworks such as PCI-DSS and ISO 27001.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.google.com/secret-manager/docs/rotation-recommendations",
+    "https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "gcloud secrets update <SECRET_NAME> --rotation-period=7776000s --next-rotation-time=<RFC3339_TIMESTAMP>",
+      "NativeIaC": "",
+      "Other": "1. In Google Cloud Console, go to Security > Secret Manager\n2. Select the secret and click Edit secret\n3. Under Rotation, enable Automatic rotation with a period of 90 days or less\n4. Configure a Pub/Sub topic to receive rotation notifications\n5. Click Save",
+      "Terraform": "```hcl\nresource \"google_secret_manager_secret\" \"<example_resource_name>\" {\n  secret_id = \"<example_resource_id>\"\n\n  replication {\n    auto {}\n  }\n\n  rotation {\n    rotation_period    = \"7776000s\" # Critical: enables rotation within 90 days\n    next_rotation_time = \"<RFC3339_TIMESTAMP>\"\n  }\n}\n```"
+    },
+    "Recommendation": {
+      "Text": "Enable **automatic rotation** for every Secret Manager secret with a period of `90` days or less.\n\nWire **Pub/Sub notifications** to trigger rotation logic and apply **defense in depth** by versioning each secret update so consumers can roll back without losing availability.",
+      "Url": "https://hub.prowler.com/check/secretmanager_secret_rotation_enabled"
+    }
+  },
+  "Categories": [
+    "secrets"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "secretmanager_secret_not_publicly_accessible",
+    "kms_key_rotation_enabled",
+    "iam_sa_user_managed_key_rotate_90_days"
+  ],
+  "Notes": "A secret without a rotationPeriod field has no automatic rotation configured and will be marked as FAIL. Rotation periods exceeding 90 days are also marked as FAIL."
+}
@@ -0,0 +1,83 @@
+import datetime
+
+from prowler.lib.check.models import Check, Check_Report_GCP
+from prowler.providers.gcp.services.secretmanager.secretmanager_client import (
+    secretmanager_client,
+)
+
+
+class secretmanager_secret_rotation_enabled(Check):
+    """
+    Ensure Secret Manager secrets have automatic rotation configured within the max rotation period.
+
+    - PASS: Secret has a rotation period within the maximum (default 90 days) and the next rotation is not overdue.
+    - FAIL: Secret has no rotation, the period exceeds the maximum, or the next rotation has been missed.
+    """
+
+    def execute(self) -> list[Check_Report_GCP]:
+        """Evaluate every Secret Manager secret's rotation configuration against the maximum rotation period."""
+        findings = []
+
+        max_rotation_days = int(
+            getattr(secretmanager_client, "audit_config", {}).get(
+                "secretmanager_max_rotation_days", 90
+            )
+        )
+
+        for secret in secretmanager_client.secrets:
+            report = Check_Report_GCP(
+                metadata=self.metadata(),
+                resource=secret,
+                resource_id=secret.name,
+            )
+
+            rotation_seconds = None
+            if secret.rotation_period:
+                try:
+                    rotation_seconds = float(secret.rotation_period[:-1])
+                except (ValueError, IndexError):
+                    rotation_seconds = None
+
+            rotation_overdue = False
+            if rotation_seconds is not None and secret.next_rotation_time:
+                try:
+                    parsed = secret.next_rotation_time.replace("Z", "+00:00")
+                    next_rotation_time = datetime.datetime.fromisoformat(parsed)
+                    rotation_overdue = next_rotation_time < datetime.datetime.now(
+                        datetime.timezone.utc
+                    )
+                except (ValueError, AttributeError):
+                    rotation_overdue = True
+
+            max_rotation_seconds = max_rotation_days * 86400
+            rotation_days = (
+                int(rotation_seconds // 86400) if rotation_seconds is not None else None
+            )
+
+            if rotation_seconds is None:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Secret {secret.name} does not have automatic rotation enabled."
+                )
+            elif rotation_seconds > max_rotation_seconds:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Secret {secret.name} has rotation enabled but the period "
+                    f"({rotation_days} days) exceeds the {max_rotation_days}-day maximum."
+                )
+            elif rotation_overdue:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Secret {secret.name} has rotation configured "
+                    f"({rotation_days} days) but the scheduled rotation is overdue."
+                )
+            else:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Secret {secret.name} has automatic rotation enabled "
+                    f"with a period of {rotation_days} days."
+                )
+
+            findings.append(report)
+
+        return findings
@@ -1,3 +1,5 @@
+from typing import Optional
+
 from pydantic.v1 import BaseModel
 
 from prowler.lib.logger import logger
@@ -33,11 +35,14 @@ def _get_secrets(self) -> None:
                 while request is not None:
                     response = request.execute(num_retries=DEFAULT_RETRY_ATTEMPTS)
                     for secret in response.get("secrets", []):
+                        rotation = secret.get("rotation") or {}
                         self.secrets.append(
                             Secret(
                                 id=secret["name"],
                                 name=secret["name"].split("/")[-1],
                                 project_id=project_id,
+                                rotation_period=rotation.get("rotationPeriod"),
+                                next_rotation_time=rotation.get("nextRotationTime"),
                             )
                         )
                     request = (
@@ -84,4 +89,6 @@ class Secret(BaseModel):
     name: str
     project_id: str
     location: str = "global"
+    rotation_period: Optional[str] = None
+    next_rotation_time: Optional[str] = None
     publicly_accessible: bool = False
@@ -92,6 +92,7 @@ def test_gcp_provider(self):
                 "shodan_api_key": None,
                 "max_unused_account_days": 180,
                 "storage_min_retention_days": 90,
+                "secretmanager_max_rotation_days": 90,
                 "mig_min_zones": 2,
                 "max_snapshot_age_days": 90,
             }
Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ def test_gcp_provider(self):`
`92`	`92`	`"shodan_api_key": None,`
`93`	`93`	`"max_unused_account_days": 180,`
`94`	`94`	`"storage_min_retention_days": 90,`
	`95`	`+ "secretmanager_max_rotation_days": 90,`
`95`	`96`	`"mig_min_zones": 2,`
`96`	`97`	`"max_snapshot_age_days": 90,`
`97`	`98`	`}`