Managed rotation for AWS Secrets Manager secrets - AWS Secrets Manager

Managed rotation for AWS Secrets Manager secrets

Some services offer managed rotation, where the service configures and manages rotation for you. With managed rotation, you don't use an AWS Lambda function to update the secret and the credentials in the database. The following services offer managed rotation:

For all other types of secrets, see Rotate secrets.

Rotation for managed secrets typically completes within one minute. During rotation, new connections that retrieve the secret may get the previous version of the credentials. In applications, we strongly recommend that you follow the best practice of using a database user created with the minimal privileges required for your application, rather than using the master user. For application users, for highest availability, you can use the Alternating users rotation strategy.

To change the schedule for managed rotation (console)
  1. Open the managed secret in the Secrets Manager console. You can follow a link from the managing service, or search for the secret in the Secrets Manager console.

  2. Under Rotation schedule, enter your schedule in UTC time zone in either the Schedule expression builder or as a Schedule expression. Secrets Manager stores your schedule as a rate() or cron() expression. The rotation window automatically starts at midnight unless you specify a Start time. You can rotate a secret as often as every four hours. For more information, see Schedule expressions.

  3. (Optional) For Window duration, choose the length of the window during which you want Secrets Manager to rotate your secret, for example 3h for a three hour window. The window must not extend into the next rotation window. If you don't specify Window duration, for a rotation schedule in hours, the window automatically closes after one hour. For a rotation schedule in days, the window automatically closes at the end of the day.

  4. Choose Save.

To change the schedule for managed rotation (AWS CLI)
  • Call rotate-secret. The following example rotates the secret between 16:00 and 18:00 UTC on the 1st and 15th day of the month. For more information, see Schedule expressions.

    aws secretsmanager rotate-secret \ --secret-id MySecret \ --rotation-rules "{\"ScheduleExpression\": \"cron(0 16 1,15 * ? *)\", \"Duration\": \"2h\"}"