Password rotation - Modular Cloud Studio on AWS
Overview and prerequisitesActive Directory password rotationManually rotating the Leostream database secret

Password rotation

Overview and prerequisites

Password rotation is a critical security practice that helps maintain the integrity of your MCS deployment. AWS Managed Microsoft AD passwords expire every 90 days and must be rotated manually to prevent service disruptions.

Before you begin:

  • Plan this activity during a maintenance window as users may experience temporary authentication issues

  • Ensure you have administrative access to AWS Directory Service, Secrets Manager, and relevant service consoles

Active Directory password rotation

When you create an AWS Managed Microsoft AD through the identity module, three account users are created for authentication throughout the solution:

  • StudioAdmin - Admin user for end-user access

  • SA_AdConnectorUser - Service account for cross-region AD communication

  • SA_McsModulesUser - General service account for MCS modules (e.g., syncing Microsoft AD users with Leostream module)

Step 1: Reset passwords in AWS Managed Microsoft AD

  1. Navigate to the AWS Directory Service console

  2. Locate the AWS Managed Microsoft AD instance associated with MCS (default domain: studio.mcs.internal)

    Tip

    If you’re unsure of the Directory ID, log in to the MCS console via the CloudFront URL, go to the Identity tab, and click External Link.

  3. Click on the Directory ID to open the directory details

  4. Click ActionsReset User Password

  5. For each user:

    1. Enter the username

    2. Generate a secure password meeting complexity requirements

    3. Enter and confirm the new password

    4. Record the password securely for use in subsequent steps

    5. Click Reset Password

    6. Wait for confirmation message before proceeding to the next user

Step 2: Synchronize password changes

After resetting passwords in Active Directory, you must update the corresponding secrets and configurations in dependent services.

Update AWS Secrets Manager

  1. Navigate to the AWS Secrets Manager console

  2. Update the following secrets with their corresponding new passwords:

    User Secret Name Pattern

    StudioAdmin

    /[MCSDeploymentId]/Identity/StudioAdminActiveDirectoryLoginCredentials

    SA_AdConnectorUser

    /[MCSDeploymentId]/Identity/AdConnectorServiceAccountActiveDirectoryLoginCredentials

    SA_McsModulesUser

    /[MCSDeploymentId]/Identity/McsModulesServiceAccountActiveDirectoryLoginCredentials

  3. For each secret:

    1. Click on the secret name

    2. Click Retrieve Secret Value

    3. Update the password field with the corresponding new password

    4. Save the changes

Update AD Connector (spoke Regions)

For each spoke region with an AD Connector:

  1. Use the Region Selector to navigate to the spoke region

  2. Go to the Directory Service console

  3. Click on the AD Connector with the MCS domain name

  4. Navigate to Network and Security

  5. Scroll to Service Account Credentials and click Update

  6. Set the password to match the new SA_AdConnectorUser password

  7. Click Update

  8. Wait for the status to show "Active" before proceeding to the next region

Important

Wait approximately 1 hour before attempting to log in to workstations in spoke Regions after updating the AD Connector password.

Update Leostream Active Directory authentication

  1. Log in to the Leostream management dashboard using the admin user

  2. Navigate to SetupAuthentication ServersEdit

  3. Locate the authentication server configuration section

  4. Update the password field with the new SA_McsModulesUser password

  5. Click Save

  6. Test the connection by attempting to authenticate a test user

After completing this update, you can log in to Leostream Gateway with Amazon DCV using the new StudioAdmin password or any other user credentials from the AWS Managed Microsoft AD.

Update storage modules

Amazon FSx for Lustre: Password changes are automatically synchronized. No manual action required.

Amazon FSx for Windows: Manual password synchronization is required.

  1. Navigate to the Amazon FSx console

  2. Click on your Windows file system

  3. Go to Network and Security

  4. Locate the Service Account section with SA_McsModulesUser

  5. Click Update next to the service account credentials

  6. Set the password to match the new SA_McsModulesUser password

  7. Monitor the Updates section for completion of the Service Account Credential update

  8. Verify the file system status remains "Available" after the update

If the Amazon FSx Windows module shows as misconfigured after password expiration:

  1. Click Attempt Recovery to reconfigure the module

  2. Wait for the update to complete

  3. Verify the module status returns to available

Manually rotating the Leostream database secret

This solution doesn’t provide automatic secrets rotation. Depending on your security requirements, you may consider manually rotating the credentials for your Leostream Connection Broker database. Follow these steps to manually rotate PostgreSQL database credentials:

  1. Log into to the admin dashhoard with admin

    Log into the Leostream Broker through the Leostream Gateway with "admin" credentials. That is located at: /[MCSDeploymentId]/WorkstationManagement/Leostream/Console/AdminUserCredentials.

  2. Switch Leostream Credentials

    This step is necessary. Without this temporary switch, the gateway cannot connect to the broker when the new password is changed. To update the corresponding credentials in the Leostream Connection Broker, see the Leostream Administrator’s Guide. This updates the Leostream settings to use the new database password. Under the Systems > Maintenance, choose DATABASE OPTIONS > Switch to PostgreSQL database. You will use the postgres default admin credentials to make this switch. This is located at LeostreamBrokerStorageSitCD-*.

  3. Leostream Connection Broker Restart Time

    The Broker will take a couple of minutes to restart for you to be able to log in.

  4. Update the PostgreSQL user password

    To change the password of the PostgreSQL "leostream" user, follow the instructions provided in the PostgreSQL documentation SQL ALTER USER Command. Ensure you modify only the "leostream" user credentials, not the default administrator account. This helps you ensure that the database credentials are updated correctly at the database level.

  5. Update secret in Secrets Manager

    Locate the secret at: /[MCSDeploymentId]/WorkstationManagement/Leostream/Database/Credentials, then update the secret with the new credentials.

    *Update Leostream credentials*

    To update the corresponding credentials in the Leostream Connection Broker, see the Leostream Administrator’s Guide. This updates the Leostream settings to use the new database password. Under the Systems > Maintenance, choose DATABASE OPTIONS > Switch to PostgreSQL database. You will switch back to the "leostream" user. This is located at /[MCSDeploymentId]/WorkstationManagement/Leostream/Database/Credentials.

  6. Leostream Connection Broker Restart Time

    The Broker will take a couple of minutes to restart for you to be able to log in.

The following secrets can be rotated using a similar process:

  • /[MCSDeploymentId]/WorkstationManagement/Leostream/API/ServiceUserCredentials

  • /[MCSDeploymentId]/WorkstationManagement/Leostream/Console/AdminUserCredential