Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free TrialEnsure that your Amazon RDS instances are using AWS Secrets Manager service to manage database access credentials in order to meet security and compliance requirements. Secrets Manager provides built-in integrations for MySQL, PostgreSQL and Aurora on Amazon Relational Database Service (RDS), and can rotate, manage and retrieve credentials for these database types natively.
With Amazon Secrets Manager you can secure and manage database credentials used to access AWS RDS database instances provisioned in your AWS account. Secrets Manager service will store RDS database credentials as part of the encrypted secret value (within the "SecretString" field).
To determine if Secrets Manager service is used to manage RDS database credentials within your AWS account, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
03 In the navigation panel, select Secrets.
04 Choose the secret that you want to examine, then click on its name to access the resource configuration details.
05 On the selected secret configuration page, in the Secret value section, click Retrieve secret value button to access the panel with the secret key/value.
06 Select the Secret key/value tab and check for any entry with the Secret Key set to host and Secret Value set to an RDS database endpoint such as <rds-instance-name>.<aws-region>.rds.amazonaws.com. If there is no secret key-value pair defined to hold an RDS database hostname (endpoint), the selected Amazon Secrets Manager secret does not manage AWS RDS database credentials.
07 Repeat steps no. 4 – 6 for each Secrets Manager secret available in the current AWS region. If there are no Secrets Manager secrets created to store and manage RDS database credentials, the Secrets Manager service in not in use for Amazon Relational Database Service (RDS) within the selected region.
08 Change the AWS region from the navigation bar to repeat the audit process for other regions.
01 Run list-secrets command (OSX/Linux/UNIX) to list the names of all Secrets Manager secrets available in the selected AWS region (US East - N. Virginia):
aws secretsmanager list-secrets --region us-east-1 --query 'SecretList[*].Name'
02 The command output should return the names of the secrets available in the selected region:
|
[
"cc-project5-credentials",
"cc-api-access-credentials"
]
03 Run get-secret-value command (OSX/Linux/UNIX) using the name of the secret that you want to examine as identifier and jq, to expose the host secret key value defined for the selected Amazon Secrets Manager secret. The host secret key value contains the hostname of the database when a specified secret holds database credentials as protected information:
aws secretsmanager get-secret-value --region us-east-1 --secret-id cc-project5-credentials | jq .SecretString | jq fromjson | jq .host
04 The command output should return the requested secret key value if the selected Secrets Manager secret contains database access credentials or null if the specified secret does not manage database credentials:
"127.0.0.1"
05 Repeat steps no. 3 and 4 for each Secrets Manager secret available in the selected AWS region. If there are no Secrets Manager secrets created to store and manage RDS database credentials, the Secrets Manager service in not in use for AWS Relational Database Service (RDS) within the selected region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.
To use Amazon Secrets Manager service to store and manage AWS RDS database access credentials, perform the following actions:
01 Sign in to AWS Management Console.
02 Navigate to AWS Secrets Manager dashboard at https://console.aws.amazon.com/secretsmanager/.
03 In the navigation panel, select Secrets.
04 Click Store a new secret button from the dashboard top menu to initiate the secret setup process.
05 On Select secret type page, perform the following:
06 On Secret name and description page, give the secret a unique name in the Secret name box and a short description in the Description box (optional). Create any necessary tag sets for your secret using the Tags form. Once the requested information is provided, click Next to continue.
07 On Store a new secret page, within Configure automatic rotation section, perform the following:
08 On the Review page, verify the secret configuration details, then click Store to create the Amazon Secrets Manager secret that will manage your AWS RDS database credentials.
09 Once the following confirmation message is displayed: "Your secret <secret-name> has been successfully stored.", click See sample code button to access the sample code that you can use to update your applications in order to retrieve the new secret.
10 Repeat steps no. 4 – 10 to create new Secrets Manager secrets to store and manage database credentials for your AWS RDS instances available in the current region.
11 Change the AWS region from the navigation bar and repeat the process for other regions.
01 Define the protected secret information required for the "SecretString" parameter. The secret information is a JSON structure of key/value pairs that AWS Secrets Manager service knows how to parse. Save the secret data to a JSON file named rds-db-credentials.json (replace the highlighted details, i.e. the RDS database instance access credentials, with your own database credentials):
{
"username": "<db-user-name>",
"password": "<db-password>",
"engine": "<db-engine-type>",
"host": "<rds-instance-name>.<aws-region>.rds.amazonaws.com",
"port": <db-port>,
"dbname": "<db-name>",
"dbInstanceIdentifier": "<rds-db-instance-name>"
}
02 Run create-secret command (OSX/Linux/UNIX) using the JSON file with the secret information created at the previous step (i.e. rds-db-credentials.json) as command parameter to create the new Amazon Secrets Manager secret that will store and manage your AWS RDS database credentials:
aws secretsmanager create-secret --region us-east-1 --name cc-rds-database-credentials --description "Provides access to MySQL production database" --kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd --secret-string file://rds-db-credentials.json
03 The command output should return the new AWS Secrets Manager secret metadata:
{
"VersionId": "abcdabcd-1234-1234-1234-abcdabcdabcd",
"Name": "cc-rds-database-credentials",
"ARN": "arn:aws:secretsmanager:us-east-1:123456789012:secret:cc-rds-database-credentials-ABCABC"
}
04 Repeat steps no. 1 – 3 to create new Secrets Manager secrets to store and manage database credentials for your AWS RDS instances available in the selected region.
05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s ChatUnlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
AWS Secrets Manager in Use for RDS Instances
Risk level: Medium