Secrets Rotation - AWS SysOps Administrator Associate
What is Secrets Rotation?
Secrets rotation is the practice of periodically updating credentials, API keys, passwords, and other sensitive information to reduce the risk of unauthorized access. In AWS, this is primarily managed through AWS Secrets Manager, which automates the process of rotating secrets for supported AWS services and custom applications.
Why is Secrets Rotation Important?
• Reduces exposure window: If credentials are compromised, regular rotation limits how long an attacker can use them
• Compliance requirements: Many regulatory frameworks (PCI-DSS, HIPAA, SOC 2) mandate regular credential rotation
• Minimizes human error: Automation eliminates manual rotation mistakes
• Enforces security best practices: Ensures credentials don't remain static for extended periods
How Secrets Rotation Works in AWS
AWS Secrets Manager Rotation Process:
1. Create Secret: Store your secret in AWS Secrets Manager
2. Enable Rotation: Configure automatic rotation with a rotation schedule (e.g., every 30 days)
3. Lambda Function: Secrets Manager uses a Lambda function to perform the actual rotation
4. Rotation Steps:
- createSecret: Creates a new version of the secret
- setSecret: Updates the credential in the database or service
- testSecret: Validates the new credential works
- finishSecret: Marks the new version as current
Supported Services for Automatic Rotation:
• Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB)
• Amazon Aurora
• Amazon Redshift
• Amazon DocumentDB
• Custom databases and services (using custom Lambda functions)
Key Configuration Elements:
• Rotation interval: Minimum 4 hours, maximum 365 days
• Rotation Lambda: Executes the rotation logic
• Staging labels: AWSCURRENT (active), AWSPENDING (being rotated), AWSPREVIOUS (previous version)
Multi-User Rotation Strategy:
• Uses two users that alternate during rotation
• Ensures continuous availability during the rotation process
• Recommended for high-availability applications
Single-User Rotation Strategy:
• Updates credentials for a single user
• May cause brief connectivity issues during rotation
• Simpler setup but less resilient
Exam Tips: Answering Questions on Secrets Rotation1. Know the Key Services:• AWS Secrets Manager is the primary service for secrets rotation
• AWS Systems Manager Parameter Store does NOT support automatic rotation natively
• Lambda functions are essential for the rotation mechanism
2. Understand Rotation Scenarios:• For RDS credentials requiring automatic rotation → AWS Secrets Manager
• For high-availability requirements → Multi-user rotation strategy
• For compliance requirements mandating credential rotation → Secrets Manager with scheduled rotation
3. Remember These Facts:• Secrets Manager charges per secret per month plus per 10,000 API calls
• CloudTrail logs all Secrets Manager API calls for auditing
• Cross-account access is possible using resource-based policies
• Secrets can be replicated across regions for disaster recovery
4. Common Exam Scenarios:• Application needs database credentials rotated every 30 days → Enable rotation in Secrets Manager
• Need to audit who accessed secrets → Review CloudTrail logs
• Application experiencing connection failures after rotation → Check Lambda function permissions and security group rules
• Need encryption at rest for secrets → Secrets Manager uses KMS encryption by default
5. Watch for Distractors:• Parameter Store SecureString is encrypted but lacks native rotation
• IAM access keys have their own rotation mechanism separate from Secrets Manager
• KMS key rotation is different from secrets rotation
6. Troubleshooting Knowledge:• Failed rotations often relate to Lambda permissions or network connectivity
• The Lambda function needs appropriate IAM permissions and VPC access if the database is in a VPC
• Check CloudWatch Logs for Lambda execution errors during rotation failures