In development

Redactus

An auditor for AWS Secrets Manager configurations. It checks secrets hygiene against security and compliance best practices and surfaces findings across accounts.

What it audits

  • Rotation status Secrets that have never rotated, have rotation disabled, or are overdue based on your policy
  • Unused secrets Secrets with no recent access — candidates for deletion or archiving
  • Resource policy coverage Secrets without restrictive resource policies, accessible to broader principals than intended
  • Access patterns Unusual access frequency, cross-account access, and access from unexpected principals
  • Naming and tagging Secrets that don't conform to organizational naming conventions or lack required tags
  • Replication and redundancy Secrets missing cross-region replication where required by architecture

Where it came from

Managing AWS environments for clients, I kept running into the same thing: nobody really knew what state their secrets were in. Rotation disabled. Resource policies looser than anyone realized. Secrets that hadn't been touched in years. The native tooling tells you what's there, not what's wrong with it.

Redactus is what I built to answer that question. It's in development.

Follow on GitHub →

Get notified at launch

I'll send you a note when Redactus is ready. No drip sequence.

No spam. Just a launch notification.