By UATeam in AWS

AWS Secrets Manager Rotation Example: A Step-by-Step Guide

AWS Secrets Manager simplifies the management and automatic rotation of secrets, such as database credentials, API keys, and other sensitive information. With automatic rotation, you can enhance security by periodically updating secrets without manual intervention. This article provides a practical example of setting up AWS Secrets Manager to automatically rotate secrets for an Amazon RDS database.

What Is AWS Secrets Manager?

AWS Secrets Manager is a managed service that helps:

  • Securely store and retrieve secrets.
  • Automatically rotate secrets based on a defined schedule.
  • Integrate seamlessly with AWS services like RDS, Lambda, and IAM.

AWS Secrets Manager Rotation Example

Objective

We’ll configure AWS Secrets Manager to:

  1. Store database credentials for an Amazon RDS instance.
  2. Automatically rotate the credentials using a Lambda function.

Step 1: Create a Secret in AWS Secrets Manager

  1. Navigate to the AWS Secrets Manager Console:
    • Go to AWS Management ConsoleSecrets ManagerStore a New Secret.
  2. Store the Secret:
    • Secret Type: Select Credentials for RDS database.
    • Database Credentials: Enter the username and password for your RDS database.
    • Encryption Key: Use the default AWS-managed key or a custom KMS key.
  3. Select the Target Database:
    • Choose your RDS instance from the dropdown menu.
  4. Secret Name:
    • Provide a descriptive name (e.g., RDS/MyDatabase/Secret).
  5. Save the Secret:
    • Complete the setup and save the secret.

Step 2: Enable Secret Rotation

  1. Select the Secret:
    • In the Secrets Manager Console, select the secret you created.
  2. Enable Automatic Rotation:
    • Click Edit RotationEnable Automatic Rotation.
  3. Configure Rotation Settings:
    • Rotation Interval: Set the rotation frequency (e.g., 30 days).
    • Rotation Function: Create a new Lambda function.
  4. Create the Rotation Lambda Function:
    • Select Create a New Lambda Function.
    • AWS will generate a default Lambda function template for rotating RDS credentials.

Step 3: Review and Customize the Rotation Lambda Function

  1. Navigate to the Lambda Console:
    • Open the Lambda function created by Secrets Manager.
  2. Understand the Default Template:
    • The template includes logic to:
      • Retrieve the current secret.
      • Generate a new secret.
      • Update the database with the new credentials.
      • Set the new secret as the active version.
  3. Customize If Needed:
    • Modify the function to handle custom database configurations or additional validations.

Step 4: Test the Rotation

  1. Manually Trigger a Rotation:
    • In the Secrets Manager Console, select your secret → Rotate SecretStart Rotation Now.
  2. Verify the Rotation:
    • Check that the secret's version is updated and the database credentials are successfully changed.
  3. Monitor Logs:
    • Use CloudWatch Logs to troubleshoot and verify successful execution of the Lambda function.

Best Practices for Secrets Rotation

  1. Use Least Privilege IAM Roles:
    • Grant the Lambda function access only to the necessary resources (Secrets Manager and RDS).
  2. Monitor Rotation Activity:
    • Enable logging in CloudWatch to monitor secret rotation and troubleshoot issues.
  3. Test Rotations Regularly:
    • Periodically trigger manual rotations to ensure configurations are working correctly.
  4. Secure Access:
    • Use AWS KMS to encrypt secrets and control access to them.

Benefits of AWS Secrets Manager Rotation

  1. Improved Security:
    • Regularly changing credentials reduces the risk of unauthorized access.
  2. Automation:
    • Eliminate manual effort by automating secret updates and application integration.
  3. Integration:
    • Works seamlessly with AWS services like Lambda, RDS, and EC2.

Conclusion

AWS Secrets Manager's rotation feature ensures that sensitive credentials are updated and managed securely. This example demonstrated how to configure automatic rotation for RDS credentials, monitor its execution, and implement best practices for secret management. By leveraging Secrets Manager, you can improve security and streamline credential management across your AWS environment.