SECRETS ARE NOT ROTATING IN SECRETS MANAGER
- we had an issue where Security hub is reporting that the secrets in AWS Secrets Manager weren’t rotating automatically. Our database credentials were failing to update on their scheduled 30-day rotation cycle.
- I was responsible for identifying the root cause and restoring the automated rotation process to maintain our security compliance.
- I followed a systematic troubleshooting approach:
- First, I checked the Secrets Manager console and saw that the rotation status showed as failed
- I identified the Lambda function handling the rotation and went directly to CloudWatch Logs to check the execution logs
- In the logs, I found an authentication error that the credentials stored in Secrets Manager no longer matched the actual database credentials
- I investigated further and discovered that a developer had manually changed the database password directly in the database without updating it in Secrets Manager
- This caused a disconnect – Secrets Manager was trying to rotate using old credentials that were no longer valid
- To resolve this, I Coordinated with the developer to understand what changes were made
- Updated the secret in Secrets Manager with the current valid credentials
- Re-triggered the rotation manually to verify it worked
- The rotation succeeded, and I confirmed the new credentials were properly stored and functional.
Leave a Reply