Automating Secret Rotation with AWS Lambda and Secrets Manager

In the digital world, where security is paramount, managing and rotating secrets like passwords, API keys, and SSH keys is a critical task. AWS Secrets Manager is an excellent tool for this purpose, offering a way to securely store and manage these sensitive pieces of information. However, when dealing with services or databases not directly supported by Secrets Manager, AWS Lambda steps in to provide a customizable solution. In this blog, we'll explore how you can use AWS Lambda in conjunction with AWS Secrets Manager to rotate secrets for a variety of applications.

Why Rotate Secrets?

Rotating secrets regularly minimizes the risk of unauthorized access and data breaches. It's a key practice in maintaining a robust security posture. AWS Secrets Manager facilitates this by automating the rotation of secrets. But for services that aren't natively supported, custom solutions are required.

Custom Solutions with AWS Lambda

AWS Lambda is a serverless computing service that runs your code in response to events, such as a scheduled time for rotating a secret. Here, we delve into three examples where Lambda functions come to the rescue for secret rotation.

Example 1: Rotating Credentials for PostgreSQL Database

AWS Secrets Manager doesn't support automatic rotation for some databases like PostgreSQL. Here's how you can set up a Lambda function for this:

1. Write a Lambda Function: The function, written in Python, connects to the PostgreSQL database.

2. Generate and Apply New Password: It generates a new password and applies it to the database.

3. Validation and Update: After validating the new password, the function updates the Secrets Manager.

4. Automate the Process: You schedule this to happen every 90 days, ensuring your database credentials are regularly updated.

Example 2: Rotating API Keys for a Custom API Service

If you have a custom API service using API keys for authentication, rotating these keys enhances security.

1. Develop a Lambda Function: A Node.js function can be developed to interact with your API service.

2. Key Generation and Application: This function generates a new API key and applies it to your service.

3. Verification and Secrets Manager Update: It verifies the new key's functionality before updating it in Secrets Manager.

4. Regular Rotation: Set this to trigger at regular intervals for consistent security.

Example 3: Rotating SSH Keys for Server Access

Servers using SSH keys for access can also benefit from automated rotation.

1. Lambda Function Creation: A Python function capable of generating SSH keys and interacting with your server is created.

2. Deploying New SSH Key: The function updates the server with a new public key.

3. Access Testing: It tests server access with the new key to ensure functionality.

4. Updating Secrets Manager: Upon successful testing, the new key is updated in Secrets Manager.

5. Scheduled Updates: Regularly scheduled function executions keep your SSH keys fresh and secure.

Conclusion

Automating the rotation of secrets using AWS Lambda and Secrets Manager not only enhances security but also adds efficiency to the process. By writing custom Lambda functions for different types of secrets, you can ensure that your sensitive data remains protected, and your compliance requirements are met. Remember, the key to a secure environment is not just in storing secrets safely but also in rotating them effectively and regularly. Happy coding, and stay secure!