-1

Is it good to have a password for the database which is generated by the secret manager?

I am using it this way now. 

Type: 'AWS::SecretsManager::Secret'
Properties:
  Description: 'Description'
  GenerateSecretString:
    SecretStringTemplate: '{"username": "username"}'
    GenerateStringKey: 'password'
    PasswordLength: 40
    ExcludeCharacters: '"@/\'

What are the best practices? Do I need a separate secret manager for every RDS? What about storing other values in secret manager? Do I need one per application?

Emma W.
  • 215
  • 1
  • 6
  • 20

2 Answers2

1

Yes storing database passwords in Secret Manager is a recommended practice in AWS Secret Manager User Guide

You can create multiple secrets and then access them by secret's name or ARN

The biggest advantage of doing this is you can rotate your DB passwords regularly

You can read more at Best practices for aws secret manager

Aman B
  • 2,276
  • 1
  • 18
  • 26
0

Yes, it is good to have rotational DB credentials managed by AWS secrets manger. It improves the security of your application. your DB credentials are no more stored in your project configuration. secrets manger takes care of this for you..

to understand the entire operations and best practices read this documentation from Amazon - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

Option 2 If you just want to maintain your DB credentials out of your project configuration and don't want to automatically rotate secrets, you can create a simple secret in AWS Secrets manager to store your application DB credentials and then use read/get secret AWS SDK APIs(based on you app prog. language) to get the DB secrets at runtime in your application to connect with database.

Suriyakanth
  • 269
  • 4
  • 13