Secret Rotation

What is Secret Rotation?

Secret Rotation is the process of periodically updating secrets to reduce the risk of compromise. AWS Secrets Manager provides automatic rotation capabilities using Lambda functions to update secrets and their corresponding resources.

Automatic Rotation: Built-in for RDS, DocumentDB, Redshift

Custom Rotation: User-defined Lambda functions for any service

Zero Downtime: Multi-user rotation strategy available

Rotation Process

1Create Secret

Generate new credentials with AWSPENDING label

2Set Secret

Update the service with new credentials

3Test Secret

Validate new credentials work correctly

4Finish Secret

Move AWSPENDING to AWSCURRENT label

Amazon RDS

MySQL
PostgreSQL
Oracle
SQL Server
MariaDB

DocumentDB

MongoDB-compatible
Cluster credentials
User management
Connection strings

Redshift

Cluster passwords
User credentials
JDBC/ODBC strings
Serverless workgroups

Custom Services

API keys
OAuth tokens
SSH keys
Custom applications

Enable Rotation

                            aws secretsmanager rotate-secret \

                              --secret-id "prod/myapp/db" \

                              --rotation-lambda-arn "arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRotation" \

                              --rotation-rules AutomaticallyAfterDays=30

Timing

Set rotation intervals (1-365 days)
Consider business hours
Allow sufficient time
Monitor rotation windows

Security

Use multi-user rotation
Proper IAM permissions
Encrypt Lambda variables
Use VPC endpoints

Error Handling

Comprehensive error handling
CloudWatch alarms for failures
Rollback procedures
Test rotation functions

Exam Strategy Tip

Remember: Automatic rotation is only available for RDS, DocumentDB, and Redshift. All other services require custom Lambda functions. Multi-user rotation provides zero downtime by alternating between two users.

Back to Fundamentals Next: Access Control