Password rotation on AWS DocumentDB

Question

We have a on-premise service that we want to move to AWS.

I'm investigating the possibility of moving it, and I'm unsure about password rotation and storage. I know that Secrets Manager can be used with RDS quite well, but I'm unsure how suitable it is for DocumentDB

When setting up a new DocumentDB cluster (using CF templates), it requires a master username and password. What would be the best approach to generating the password for this CF template? Could it be done using a secretsmanager:GetRandomPassword or is that bad practice?

score 2 · Answer 1 · answered Feb 26 '19 at 09:30

2

If you have used Secrets Manager with RDS, it should suit you wll with DocumentDB as well. While Secret Manager doesn't claim to support DocumentDB, they do have rotation lambda code for MongoDB[1]. Given that DocumentDB uses the same authentication protocol as MongoDB (SCRAM-SHA-1), theoretically you should be able to use the secret manager MongoDB lambda worker as is.

[1] https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerMongoDBRotationSingleUser/lambda_function.py

answered Feb 26 '19 at 09:30

Kanishka Chaturvedi

227
1
3

Thanks, I'll look into that approach soon. I checked with some other teams and we're going with Dynamo instead as DocumentDB is too new to pass some of the requirements here – Crackers91 Feb 27 '19 at 10:08
AWS Secrets Manager now supports native integration with Amazon DocumentDB: https://aws.amazon.com/blogs/security/how-to-rotate-amazon-documentdb-and-amazon-redshift-credentials-in-aws-secrets-manager/ – Joseph Idziorek Mar 20 '19 at 13:47

score 0 · Answer 2 · answered Mar 20 '19 at 13:48

0

AWS Secrets Manager now supports native integration with Amazon DocumentDB: https://aws.amazon.com/blogs/security/how-to-rotate-amazon-documentdb-and-amazon-redshift-credentials-in-aws-secrets-manager/

answered Mar 20 '19 at 13:48

Joseph Idziorek

4,853
6
23
37

Did anybody manage to set this up for non-privileged DocumentDB user? I created a role with "changeOwnPassword" privileges and assigned it to the user, but he still can't change his own password thus also the lambda function for password rotation just fails all the time. It's 3.6 (engine 1.0.207836). – fiction Jan 11 '22 at 11:43

Password rotation on AWS DocumentDB

2 Answers2

Linked