Running everything in a VPC - AWS Secrets Manager

Running everything in a VPC

Whenever possible, you should run as much of your infrastructure on private networks not accessible from the public internet. To do this, host your servers and services in a virtual private cloud (VPC) provided by Amazon VPC. AWS provides a virtualized private network accessible only to the resources in your account. The public internet can't view or access, unless you explicitly configure it with access. For example, you could add a NAT gateway. For complete information about Amazon VPC, see the Amazon VPC User Guide.

To enable secret rotation within a VPC environment, perform these steps:

  1. Configure your Lambda rotation function to run within the same VPC as the database server or service with a rotated secret. For more information, see Configuring a Lambda Function to Access Resources in an Amazon VPC in the AWS Lambda Developer Guide.

  2. The Lambda rotation function, now running from within your VPC, must be able to access a Secrets Manager service endpoint. If the VPC has no direct Internet connectivity, then you can configure your VPC with a private Secrets Manager endpoint accessible by all of the resources in your VPC. For details, see VPC.