Automatically rotate an Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret - AWS Secrets Manager

Automatically rotate an Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret

Secrets Manager provides complete rotation templates for Amazon RDS, Amazon DocumentDB, and Amazon Redshift secrets. For other types of secrets, see Automatically rotate another type of secret.

Another way to automatically rotate a secret is to use AWS CloudFormation to create the secret, and include AWS::SecretsManager::RotationSchedule. See Automate secret creation in AWS CloudFormation.

There are two Rotation strategies available as rotation templates: single user and alternating users. You can also Customize a rotation function.

Before you begin, you need the following:

To turn on rotation for an Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. On the Secrets page, choose your secret.

  3. On the Secret details page, in the Rotation configuration section, choose Edit rotation.

  4. In the Edit rotation configuration dialog box, do the following:

    1. Choose Enable automatic rotation.

    2. For Select rotation interval, choose the number of days to keep the secret before rotating it.

      If you use Alternating users rotation strategy, the credentials in the previous version of the secret are still valid and can be used to access the database or service. To meet compliance requirements, you might need to rotate your secrets more often. For example, if your credential lifetime maximum is 90 days, then we recommend you set your rotation interval to 44 days. That way both users' credentials will be updated within 90 days.

    3. Do one of the following:

      • To have Secrets Manager create a rotation function for you based on the Rotation function templates for your secret, choose Create a new Lambda function and enter a name for your new function. Secrets Manager adds "SecretsManager" to the beginning of your function name.

      • To use a rotation function that you or Secrets Manager already created, choose Use an existing Lambda function. You can reuse a rotation function you used for another secret if the rotation strategy is the same.

    4. For Select which secret will be used to perform the rotation, do one of the following:

For help resolving common rotation issues, see Troubleshoot AWS Secrets Manager rotation of secrets.

AWS SDK and AWS CLI

To turn on rotation, see: