Using AWS Lambda to rotate secrets

The AWS Well-Architected Framework recommends that you store and use secrets securely. This best practice recommends that you automate the rotation of credentials at regular intervals. Rotation is the process of periodically updating a secret to make it more difficult for an attacker to access the credentials. Many compliance frameworks and regulations also require that you rotate secrets.

For Terraform IaC, you can use AWS Secrets Manager and AWS Lambda to establish automated rotation. In Secrets Manager, you can set up automatic rotation for your secrets. When Secrets Manager rotates a secret, it updates the credentials in both the secret and the database or service.

For databases, we recommend that you manage the primary credentials in Secrets Manager and rotate the secrets at a regular interval. Secrets Manager provides rotation function templates for Lambda for several types of database credentials. For more information, see AWS Secrets Manager rotation function templates in the Secrets Manager documentation and see the code samples in GitHub. The following is an example of a Terraform IaC that you can use to rotate secrets or sensitive data.


resource "aws_secretsmanager_secret_rotation" "createrotation" {
  count               = var.needrotation == true ? 1 : 0
  secret_id           = aws_secretsmanager_secret.initiatesecret.id
  rotation_lambda_arn = aws_lambda_function.rotationlambda.arn

  rotation_rules {
    automatically_after_days = 1
  }
}

The following architecture diagram shows how you can use Secrets Manager, an Amazon VPC endpoint, and a Lambda function to rotate sensitive data in an AWS account.

Using Lambda to rotate secrets in AWS Secrets Manager

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Generating random passwords

Limiting access