AWS Secrets Manager Infographic

AWS Secrets Manager

Automatic Rotation: Zero-Downtime Security for Database Credentials

The Ingredients

The Secret Vault

AWS Secrets Manager stores your DB host, username, and initial password as a JSON object.

The Lambda Rotator

A serverless function that handles the logic of changing the password in the DB and updating the secret.

The Target DB

Amazon RDS, Redshift, or DocumentDB. The resource where credentials must be rotated.

The 4-Step Rotation Process

How AWS ensures security without breaking your application

Secrets Manager Lambda Function Target Database 1. Trigger 2. Set Password 3. Verify & Store
1

Create Secret Version

Secrets Manager creates a new version of the secret with a new password, marked as AWSPENDING.

2

Set Database Password

Lambda uses the AWSPENDING credentials to change the password directly on the database instance.

3

Test New Credentials

The Lambda function attempts to log in to the DB using the new password to ensure it works correctly.

4

Finish Rotation

The AWSPENDING label is moved to AWSCURRENT. The old password is now deprecated.

Enhanced Security

Reduces the “blast radius” of compromised credentials by limiting their lifespan.

Fully Managed

Built-in templates for RDS (MySQL, PostgreSQL, SQL Server) make setup a breeze.

Custom Schedules

Rotate every 30 days, or every 24 hours. You define the window and frequency.

No Hardcoding

Applications fetch the current secret via API, ensuring they always have the latest key.

AWS Cloud Security Architecture • Educational Guide • 2024

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top