AWS Secrets Manager
User Guide

Configuring Your Network to Support Rotating Secrets

To successfully rotate your secrets, the Lambda rotation function must be able to communicate with both the protected database or service, and the AWS Secrets Manager service. The rotation function makes calls to your database or other service to request the user's password be updated with a new value. The function also calls Secrets Manager API operations to retrieve and update the secrets involved in the rotation process. If you run your Amazon RDS instance or other secret-protected service in a virtual private cloud (VPC) provided by Amazon VPC, you must take the following high-level steps to enable the required connectivity.

  • Configure your Lambda rotation function to enable communications between the function and the database instance. If you use one of the database services fully supported by Secrets Manager, then the AWS CloudFormation template that creates your function determines if your database instance is publicly accessible.

    • If your protected service runs in a VPC and isn't publicly accessible, then the AWS CloudFormation template configures the Lambda rotation function to run in the same VPC. In this scenario, the rotation function can communicate with the protected service directly within the VPC.

    • If your protected service is publicly accessible, whether or not it is in a VPC, then the AWS CloudFormation template configures the Lambda rotation function not to run in a VPC. In this scenario, the Lambda rotation function communicates with the protected service through the publicly accessible connection point.

    If you configure your rotation function manually and want to put it in a VPC, then on the function's Details page scroll down to the Networking section and choose the appropriate VPC from the list.

  • Configure your VPC to enable communications between the Lambda rotation function running in a VPC and the Secrets Manager service endpoint. By default, the Secrets Manager endpoints reside on the public Internet. If your Lambda rotation function and protected database or service both run in a VPC, then you must perform one of the following steps:

    • You can enable your Lambda function to access the public Secrets Manager endpoint by adding a NAT gateway to your VPC. This enables traffic that originates in your VPC to reach the public Secrets Manager endpoint. This does expose your VPC to a level of risk because an IP address (for the gateway) can be attacked from the public internet.

    • You can configure Secrets Manager service endpoints directly within your VPC. This configures your VPC to intercept any request addressed to the public regional endpoint, and redirect it to the private service endpoint that's running within your VPC. For more details, see Connecting to Secrets Manager Through a VPC Endpoint.