Configure automatic rotation - AWS Secrets Manager

Configure automatic rotation


If you enable rotation, Secrets Manager immediately rotates the secret to test the configuration. Ensure that all of your applications that use these credentials are updated to retrieve the credentials from this secret using Secrets Manager. After the initial rotation, Secrets Manager begins rotating the secret according to the schedule you specify.

If your secret contains credentials, you can configure Secrets Manager to automatically rotate those credentials on a schedule that you specify. Rotation helps keep your IT resources and data secure by regularly changing the credentials. This helps to reduce the risk from leaving your credentials unchanged for long periods of time.

To rotate a secret for a non-RDS database or for a custom secret type, you must create and configure an AWS Lambda function that rotates the secrets when triggered. The rotation function updates the credentials on the protected service, and updates the secret to match. Your applications then immediately begin accessing the protected service by using the new credentials contained in the secret.