AWS Secrets Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Configuring Your Network to Support Rotating Secrets

To successfully rotate your secrets, the Lambda rotation function must be able to communicate with both the protected database or service, and the AWS Secrets Manager service. The rotation function makes calls to your database or other service to request that the user's password be updated with a new value. The function also calls Secrets Manager API operations to retrieve and update the secrets that are involved in the rotation process. If your Amazon RDS instance or other secret-protected service is running in a virtual private cloud (VPC) provided by Amazon VPC, you must take the following high-level steps to enable the required connectivity.

  • Configure your Lambda rotation function to enable communications between the function and the database instance. If you use one of the database services that are fully supported by Secrets Manager, then the AWS CloudFormation template that creates your function determines whether your database instance is publicly accessible.

    • If your protected service is running in a VPC and isn't publicly accessible, then the AWS CloudFormation template configures the Lambda rotation function to run in the same VPC. In this scenario, the rotation function can communicate with the protected service directly within the VPC.

    • If your protected service is publicly accessible, whether or not it is in a VPC, then the AWS CloudFormation template configures the Lambda rotation function not to run in a VPC. In this scenario, the Lambda rotation function communicates with the protected service through the publicly accessible connection point.

    If you configure your rotation function manually and want to put it in a VPC, then on the function's Details page scroll down to the Networking section and choose the appropriate VPC from the list.

  • Configure your VPC to enable communications between the Lambda rotation function running in a VPC and the Secrets Manager service endpoint. By default, the Secrets Manager endpoints are on the public Internet. If your Lambda rotation function and protected database or service are both running in a VPC, then you must perform one of the following steps:

    • You can enable your Lambda function to access the public Secrets Manager endpoint by adding a NAT gateway to your VPC. This enables traffic that originates in your VPC to reach the public Secrets Manager endpoint. This does expose your VPC to a level of risk because there's an IP address (for the gateway) that can be attacked from the public internet.

    • You can configure Secrets Manager service endpoints directly within your VPC. This configures your VPC to intercept any request that's addressed to the public regional endpoint, and redirect it to the private service endpoint that's running within your VPC. For more details, see Connecting to Secrets Manager Through a VPC Endpoint.