How to implement single-user secret rotation using Amazon RDS admin credentials

Security Blog

This article provides a walkthrough on how to implement a modified alternating-user rotation strategy for Amazon RDS database user credentials using AWS Secrets Manager. This strategy helps meet security and compliance standards that prevent a database user from changing their own credentials and having multiple users with identical permissions.

Specifically, the article covers:

Configuring alternating-user rotation on the database credential secret
Modifying the Lambda rotation function to implement the modified rotation strategy
Testing the modified rotation strategy and verifying the secret was rotated without creating a _clone user
Cleaning up the resources

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Mar 3
2025

Automate Amazon RDS credential rotation with AWS Secrets Manager for primary instances with read replicas

Jul 18
2024

Configure password policy for Amazon RDS for SQL Server

Jul 18
2024

Amazon RDS for SQL Server supports password policies for SQL Server logins

Jun 10
2025

Cross-account migration of Amazon RDS for SQL Server with column-level encryption

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

How to implement single-user secret rotation using Amazon RDS admin credentials

Related articles