Manage the RDS Database credentials using AWS Secret Manager and Monitor it thru CloudTrail
Revathi Joshi
Posted on March 15, 2023
What is AWS Secrets Manager?
As per AWS documentation
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources.
The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Users and applications retrieve secrets with a call to the Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.
Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB.
Also, the service is extensible to other types of secrets, including API keys and OAuth tokens.
Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.
Let’s get started!
Objectives:
1. Sign in to AWS Management Console
2. Create RDS MySQL instance
3. Store a new secret
4. Verify the secret created
5. Monitor secret manager activities thru CloudTrail
6. Delete AWS resources
Pre-requisites:
- AWS user account with admin access, not a root account.
Resources Used:
Steps for implementation to this project:
1. Sign in to AWS Management Console
- SignIn to the AWS Management Console using username and password in the AWS Region as US East (N. Virginia) us-east-1
2. Create RDS MySQL instance
On the Amazon RDS Console, Create database,
Standard create
, Engine type -MySQL
, Templates -Free tier
, Under Settings, DB instance identifier -myrdsinstance
, Master username -admin
, Master password -admin1234
, Confirm master password -admin1234
, DB instance class -db.t2.micro
, Allocated storage -20 GB
, Storage autoscaling -uncheck Enable storage autoscaling
, Take all defaultsCreate database
3. Store a new secret
On the AWS Secrets Manager Console, Store a new secret, Under Secret type - Credentials for Amazon RDS database, Under Credentials - User name -
admin
, Password -admin1234
, Encryption key -aws/secretsmanager
, Database -myrdsinstance
Next
Secret name -
myrdssecret
Next, Next
Store
4. Verify the secret created
- Click on
myrdssecret
, Under Secret value - Retrieve secret value
5. Monitor secret manager activities thru CloudTrail
- On the CloudTrail Console, in the left navigation tab - Event history
- in the lookup attributes, select
Event name
and Enter event name asGetSecretValue
6. Delete AWS resources
- From the Amazon RDS Console, delete RDS database -
myrdsinstance
What we have done so far
- We have successfully created a RDS MySQL instance, created and stored a secret and monitored secret manager activities thru CloudTrail
Posted on March 15, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.