This chapter covers AWS Secrets Manager's automatic rotation feature, a critical mechanism for maintaining security posture without manual intervention. Automatic rotation ensures that database credentials, API keys, and other secrets are periodically replaced, reducing the risk of compromise. On the SAA-C03 exam, this topic appears in approximately 5-10% of questions related to Secure Architectures (Objective 1.2), often in scenarios involving compliance, security automation, or integration with AWS services like RDS and Lambda. Understanding how rotation works, its configuration options, and common pitfalls is essential for passing.
Jump to a section
Imagine a secure facility where each employee has a personal locker with a combination lock. To ensure security, the facility manager mandates that every combination must be changed every 30 days. Instead of each employee manually resetting their lock, a robotic locker attendant automatically generates a new random combination, programs the lock, and securely delivers the new combination to the employee's smartphone app. The old combination is immediately invalidated. The attendant also logs every rotation event. If an employee is on vacation and cannot receive the new combination, the attendant can temporarily use a backup master key (a separate credential) to access the locker, but only after verifying the employee's identity through an alternative channel. This system prevents stale combinations from being compromised, reduces human error, and ensures that all lockers are updated synchronously. The robotic attendant is AWS Secrets Manager, the locker is a database secret, and the combination is the database password. The 30-day rotation schedule is the rotation interval, and the smartphone app is the integrated service (like RDS) that receives the new secret automatically.
What is Secrets Manager Automatic Rotation?
AWS Secrets Manager is a service that securely stores, retrieves, and manages secrets such as database passwords, API keys, and OAuth tokens. Automatic rotation is a built-in feature that periodically changes the secret value according to a schedule you define. This reduces the risk of credential compromise by ensuring secrets are regularly refreshed.
Why Automatic Rotation Exists
Static secrets are a major security vulnerability. If a password is leaked, the window of exposure is indefinite until someone manually changes it. Automatic rotation limits that window to the rotation interval (e.g., 30 days). It also helps meet compliance requirements like PCI DSS, HIPAA, and SOC 2, which mandate periodic credential rotation.
How Rotation Works Internally
Secrets Manager uses an AWS Lambda function to perform the rotation. The function is provided by AWS for supported services (e.g., Amazon RDS, Amazon Redshift, Amazon DocumentDB) or you can write a custom Lambda function for other secrets. The rotation process follows a specific sequence of steps called "staging labels" to ensure zero downtime and consistency.
#### Staging Labels
Each version of a secret has one or more staging labels. The key labels are:
AWSCURRENT: The currently active secret that applications use.
AWSPENDING: The new secret being created during rotation.
AWSPREVIOUS: The previous secret, available as a fallback.
During rotation, the Lambda function creates a new version with the AWSPENDING label, then updates the target service (e.g., sets the new password on the RDS user), and finally marks the AWSPENDING version as AWSCURRENT while moving the old AWSCURRENT to AWSPREVIOUS.
Rotation Strategy: Immutable Version IDs
Each version of a secret has a unique Version ID (a UUID). When you retrieve a secret, you can specify a Version ID or use the staging label. This immutability ensures that if you have a reference to a specific version, the secret value does not change out from under you.
Configuration Parameters
RotationInterval: The number of days between automatic rotations. Default is 30 days. Minimum is 0 (immediate rotation after creation), but practical minimum is 1 hour (per AWS documentation).
RotationLambdaARN: The ARN of the Lambda function that performs the rotation.
RotationRules: A JSON object containing AutomaticallyRotateAfterDays (integer).
How to Enable Rotation
You can enable rotation when creating a secret or later via the console, CLI, or SDK. For an existing secret, you must attach a Lambda function and set the rotation schedule.
CLI Example:
aws secretsmanager rotate-secret \
--secret-id MyDatabaseSecret \
--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:MyRotationLambda \
--rotation-rules '{"AutomaticallyAfterDays": 30}'Supported Services
AWS provides pre-built Lambda rotation templates for:
Amazon RDS (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora)
Amazon Redshift
Amazon DocumentDB
Amazon ElastiCache for Redis (via custom Lambda)
Amazon ECS (for environment variables)
For other services (e.g., custom database, API key), you must create a custom Lambda function.
Custom Rotation Lambda Function
If you write your own Lambda function, it must implement the following steps (as per the AWS rotation function blueprint):
createSecret: Generate a new secret value and store it with the AWSPENDING label.
setSecret: Set the new secret on the target service (e.g., update the database user password).
testSecret: Verify that the new secret works (e.g., connect to the database with the new credentials).
finishSecret: Move the AWSPENDING label to AWSCURRENT and mark the old AWSCURRENT as AWSPREVIOUS.
Secrets Manager invokes the Lambda function with a JSON event that includes the step name and the ARN of the secret being rotated.
Security Considerations
The Lambda function must have IAM permissions to read the secret, write the secret (to create new versions), and modify the target service.
The Lambda function should have a VPC configuration if the target service is in a VPC (e.g., RDS in a private subnet).
Secrets Manager uses envelope encryption with AWS KMS. The secret value is encrypted under a KMS key (either the default aws/secretsmanager key or a customer managed key).
Rotation and Multi-Region Secrets
Secrets Manager supports replicating secrets to multiple regions. Rotation must be configured independently in each region. If you replicate a secret, the rotation schedule does not automatically synchronize across regions.
Rotation and CloudTrail
Every rotation event is logged in AWS CloudTrail, including the creation of new versions and the update of staging labels. You can monitor rotations using CloudTrail or Amazon EventBridge.
Default Values and Timers
Rotation interval default: 30 days.
Lambda timeout: The default Lambda timeout is 15 minutes for rotation functions. If your rotation takes longer, increase the timeout.
Maximum secret size: 64 KB (including the JSON structure).
Interaction with Other Services
AWS RDS: Secrets Manager can automatically rotate RDS master user passwords. The Lambda function uses the RDS API to modify the password.
AWS Lambda: The rotation function itself is a Lambda function. You can use the AWS provided templates or write custom code.
AWS KMS: Secrets Manager uses KMS for encryption. The key policy must allow the Secrets Manager service to use the key.
Amazon EventBridge: You can trigger actions based on rotation events (e.g., send notification when rotation fails).
Common Configuration Mistakes
Not setting a VPC for the Lambda function: If the target database is in a VPC, the Lambda function must also be in the same VPC (or have VPC access via VPC endpoint).
Incorrect IAM permissions: The Lambda function needs permissions to call Secrets Manager and the target service API.
Using a custom Lambda that does not handle all four steps: The rotation will fail if the Lambda does not implement createSecret, setSecret, testSecret, and finishSecret.
Forgetting to enable rotation after creating the secret: Rotation is not enabled by default.
Monitoring Rotation
You can check the rotation status in the Secrets Manager console under the secret details page. The console shows the last rotation date, next rotation date, and rotation history. Use CloudWatch metrics and logs for Lambda function errors.
Pricing
Secrets Manager charges $0.40 per secret per month and $0.05 per 10,000 API calls. Rotation itself does not incur additional charges beyond the secret storage and API calls made during rotation.
Step 1: Create a new secret version
The Lambda function generates a new random secret value (e.g., a 32-character password) and calls the Secrets Manager API to store it as a new version with the staging label 'AWSPENDING'. This version is not yet active. The Lambda function receives the secret ARN and the step name 'createSecret' in the event payload. The function must handle idempotency: if the AWSPENDING version already exists, it should skip creation or update it.
Step 2: Set the new secret on the target service
The Lambda function connects to the target service (e.g., RDS database) and updates the credential to the new secret value. For RDS, this involves executing an ALTER USER statement to change the password. The function uses the existing AWSCURRENT credentials to authenticate. If this step fails (e.g., network issue), the rotation stops and the secret remains unchanged. The function should catch exceptions and report them.
Step 3: Test the new secret
The Lambda function attempts to authenticate to the target service using the new AWSPENDING secret. This verifies that the password change was successful and the new credentials work. If the test fails (e.g., connection timeout, authentication error), the function should fail the rotation and optionally roll back by setting the old password again. The test step is critical to avoid breaking applications.
Step 4: Finish the rotation
The Lambda function calls Secrets Manager to mark the AWSPENDING version as AWSCURRENT. Secrets Manager automatically moves the old AWSCURRENT label to AWSPREVIOUS. The AWSPREVIOUS version is retained for a period (default 30 days, or until a new rotation completes). This step ensures the new secret is now the active one. After this, applications using the secret will retrieve the new value on their next read.
Step 5: Clean up old versions (optional)
Secrets Manager automatically removes old versions that are no longer needed based on the rotation policy. By default, after a new rotation completes, the AWSPREVIOUS version is kept but can be manually deleted. The service does not delete versions immediately; they are subject to a retention period. You can also call the 'restore-secret' API to recover a deleted secret within a 30-day window.
Enterprise Scenario 1: RDS Database Rotation for a SaaS Application
A SaaS company hosts customer databases on Amazon RDS for PostgreSQL. Each customer has a dedicated database with a unique username and password. The company uses Secrets Manager to store these credentials and enables automatic rotation every 30 days. The rotation Lambda function is deployed in the same VPC as the RDS instances, with a security group that allows inbound/outbound traffic on port 5432. The function uses the RDS IAM authentication to manage users. In production, with over 500 secrets, rotation is staggered to avoid simultaneous load on the database. The company monitors rotation via CloudWatch logs and alerts on failures. A common issue is that the Lambda function times out if the database is under heavy load; increasing the Lambda timeout to 5 minutes resolves this. Another challenge is that some legacy applications cache the secret and break after rotation; the company mitigates this by using short TTLs and implementing a secret refresh mechanism.
Enterprise Scenario 2: API Key Rotation for Third-Party Service
A financial services firm integrates with a third-party payment gateway using an API key. The key is stored in Secrets Manager and must be rotated every 90 days per compliance. Since the third-party does not support automatic key rotation via API, the firm uses a custom Lambda function that: (1) generates a new key, (2) calls the third-party's support API to register the new key, (3) updates the secret, and (4) deactivates the old key after a grace period. The Lambda function is triggered by a CloudWatch Events rule that invokes rotation. The firm also uses a second secret as a backup key to avoid downtime during rotation. A misconfiguration where the Lambda function lacked VPC endpoints caused the function to fail when trying to reach the third-party API over the internet; the fix was to place the Lambda in a public subnet with a NAT gateway.
Performance Considerations
Lambda cold starts: If rotation is infrequent, the Lambda function may experience cold starts, adding latency. Use provisioned concurrency if needed.
API rate limits: Secrets Manager has default API rate limits (e.g., 50 requests per second per account). Bulk rotation of many secrets may require throttling.
Database connections: The Lambda function should reuse database connections if rotating multiple secrets for the same database to avoid connection exhaustion.
SAA-C03 Exam Focus on Secrets Manager Automatic Rotation
The SAA-C03 exam tests Secrets Manager automatic rotation under Objective 1.2 (Secure Architectures) and often in the context of designing secure applications. The exam expects you to know:
How to enable rotation: When to use the console, CLI, or CloudFormation.
The four steps of a custom rotation function: createSecret, setSecret, testSecret, finishSecret.
Staging labels: AWSCURRENT, AWSPENDING, AWSPREVIOUS.
Supported services: RDS, Redshift, DocumentDB (and that DynamoDB is NOT supported via pre-built template).
IAM permissions needed: The Lambda function needs secretsmanager:PutSecretValue, secretsmanager:GetSecretValue, etc., and permissions on the target service.
VPC requirements: If the target is in a VPC, the Lambda must be in the same VPC or use VPC endpoints.
Rotation interval: Default 30 days, can be set to any value (minimum 0, but practical minimum 1 hour).
Common Wrong Answers
"Rotation interval must be at least 7 days": Wrong. The default is 30 days, but you can set any value (including 0 for immediate rotation).
"You must use a custom Lambda function for all secrets": Wrong. AWS provides pre-built templates for RDS, Redshift, and DocumentDB.
"Rotation automatically updates the secret in all regions for multi-region secrets": Wrong. Each region's replica must have its own rotation configuration.
"Secrets Manager automatically rotates secrets without any Lambda function": Wrong. Rotation always requires a Lambda function (either AWS-provided or custom).
Numbers and Terms on the Exam
30 days: Default rotation interval.
AWSCURRENT, AWSPENDING, AWSPREVIOUS: Staging labels.
Four steps: createSecret, setSecret, testSecret, finishSecret.
64 KB: Maximum secret size.
$0.40 per secret per month: Pricing (though not explicitly tested, understanding cost implications may appear).
Edge Cases
Rotation fails: If the Lambda function fails, the secret remains unchanged. You must fix the Lambda and retry rotation.
Simultaneous rotation of multiple secrets for the same database: The Lambda function must handle concurrency, e.g., by using a distributed lock or idempotent operations.
Deleting a secret with rotation enabled: You must first disable rotation, then delete the secret. The exam may ask about the order of operations.
How to Eliminate Wrong Answers
If an answer says "rotation is automatic without any configuration," it is wrong because you must attach a Lambda function.
If an answer says "you can rotate secrets in DynamoDB automatically," it is wrong because DynamoDB is not supported.
If an answer says "the old secret is immediately deleted," it is wrong; it is retained as AWSPREVIOUS.
Automatic rotation requires a Lambda function (AWS-provided or custom).
Default rotation interval is 30 days; configurable to any value (minimum 0).
The four steps of a custom rotation Lambda: createSecret, setSecret, testSecret, finishSecret.
Staging labels: AWSCURRENT (active), AWSPENDING (new), AWSPREVIOUS (old).
Supported services with pre-built templates: RDS, Redshift, DocumentDB.
Lambda function must have IAM permissions for Secrets Manager and the target service.
If the target service is in a VPC, the Lambda must be in the same VPC or use VPC endpoints.
Rotation is logged in CloudTrail and can be monitored via EventBridge.
Multi-region secrets require independent rotation configuration per region.
Old secrets are retained as AWSPREVIOUS until the next rotation completes.
These come up on the exam all the time. Here's how to tell them apart.
Secrets Manager Automatic Rotation
Automatically rotates secrets on a schedule (e.g., every 30 days).
Uses Lambda function to perform rotation steps.
Provides staging labels (AWSCURRENT, AWSPENDING, AWSPREVIOUS) for zero-downtime rotation.
Integrates with CloudTrail for auditing.
Reduces human error and ensures compliance.
Manual Rotation
Requires manual intervention to change secrets.
No built-in mechanism; you must write scripts or use other tools.
Risk of human error (e.g., forgetting to rotate).
No automatic rollback if new secret fails.
Higher operational overhead and potential security gaps.
Mistake
Secrets Manager automatically rotates secrets without any Lambda function.
Correct
Rotation always requires a Lambda function. AWS provides pre-built templates for supported services, but you must attach the function to the secret.
Mistake
You can only rotate secrets every 30 days.
Correct
The default is 30 days, but you can set any interval, including 0 (immediate) or 1 hour. The exam tests that the interval is configurable.
Mistake
When you rotate a secret, the old secret value is immediately deleted.
Correct
The old secret is retained with the AWSPREVIOUS label. It is not deleted until a new rotation completes or you manually delete it.
Mistake
Secrets Manager supports automatic rotation for all AWS services.
Correct
Only RDS, Redshift, DocumentDB, and a few others have pre-built templates. For other services, you must write a custom Lambda function.
Mistake
Multi-region secrets automatically rotate in all regions.
Correct
Each region's replica has its own rotation configuration. You must enable rotation independently in each region.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can enable rotation via the console, CLI, or SDK. In the console, select the secret, choose 'Edit rotation', and specify the Lambda function ARN and rotation interval. Using the CLI, run `aws secretsmanager rotate-secret --secret-id <id> --rotation-lambda-arn <arn> --rotation-rules '{"AutomaticallyAfterDays": 30}'`. You must have a rotation Lambda function already created.
If the Lambda function fails during any step, the rotation is aborted and the secret remains unchanged. Secrets Manager does not automatically retry; you must investigate the failure (check CloudWatch logs), fix the issue, and manually trigger rotation again. The old secret continues to be used.
No, DynamoDB does not have a pre-built rotation template. You can write a custom Lambda function to rotate credentials stored in DynamoDB, but Secrets Manager does not provide a built-in integration. The exam tests this limitation.
Each secret has its own rotation schedule. Secrets Manager invokes the Lambda function per secret independently. If multiple secrets share the same Lambda function, the function must handle concurrent invocations. The Lambda function should be idempotent and use locking mechanisms if needed.
The Lambda function needs permissions to call Secrets Manager APIs (e.g., secretsmanager:GetSecretValue, secretsmanager:PutSecretValue, secretsmanager:UpdateSecretVersionStage) and permissions to modify the target service (e.g., rds:ModifyDBInstance for RDS). The exact permissions depend on the service.
Yes, you can specify a customer managed KMS key when creating the secret. The key must have a key policy that allows Secrets Manager to encrypt/decrypt. The Lambda function does not need direct access to the KMS key; Secrets Manager handles encryption transparently.
The third step of the rotation Lambda function (testSecret) is designed to test the new secret by attempting to authenticate to the target service. If the test fails, the rotation fails. You can also manually retrieve the new secret using the AWSCURRENT staging label and test it externally.
You've just covered Secrets Manager Automatic Rotation — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?