Amazon Elasticache User Credentials Rotation using AWS Secrets Manager

Overview

Managing sensitive data securely in today’s dynamic cloud environments is paramount, especially regarding databases and caching systems like Amazon ElastiCache. In this blog post, we delve into the essential practice of user credentials rotation for Amazon ElastiCache instances using AWS Secrets Manager. We explore the significance of regular credential rotation as a fundamental security measure and demonstrate how AWS Secrets Manager simplifies and automates the process, ensuring security posture while maintaining operational efficiency within AWS environments.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Introduction

In cloud computing, security remains paramount, especially for sensitive data stored in caching systems like Amazon ElastiCache. Regular user credential rotation is crucial for mitigating cybersecurity risks, yet it is often complex and time-intensive. However, AWS Secrets Manager revolutionizes this process by offering a centralized solution for automating credential rotation within AWS environments.

Prerequisites

To enable user credential rotation in Amazon Elasticache, these are the following requisites:

Amazon Elasticache server should be up and running.
One user group should be created and attached to the Amazon Elasticache server.
The user should be created (the one’s credentials we want to rotate) and attached to the user group.

Step-by-Step Guide

These are the steps that need to be followed:

Create a secret for Amazon Elasticache user with the following format [1]:

{
  "username": "<username>", 
  "password": "<password>", 
  "user_arn": "<user_arn>"
}

{

"username": "<username>",

"password": "<password>",

"user_arn": "<user_arn>"

}

Do not enable the rotation now. We will enable it once we setup the AWS Lambda functions.

2. We will now deploy the AWS Lambda function for rotation [3]:

Create a policy for the AWS Lambda function execution role [2].

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticache:DescribeUsers",
                "elasticache:ModifyUser"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetRandomPassword",
            "Resource": "*"
        }
    ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"elasticache:DescribeUsers",

"elasticache:ModifyUser"

"Resource": "*"

{

"Effect": "Allow",

"Action": [

"secretsmanager:GetSecretValue",

"secretsmanager:DescribeSecret",

"secretsmanager:PutSecretValue",

"secretsmanager:UpdateSecretVersionStage"

"Resource": "*"

{

"Effect": "Allow",

"Action": "secretsmanager:GetRandomPassword",

"Resource": "*"

}

]

}

Create a role for the AWS Lambda function using the trust policy. Also, attach the basic AWS Lambda execution policy to this role to push Amazon CloudWatch logs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Service": "lambda.amazonaws.com"

"Action": "sts:AssumeRole"

}

]

}

step3

Now, deploy an AWS Lambda function with the following configuration:

Runtime: Python 3.12

Timeout: 12 Min

Environment Variables:

SECRETS_MANAGER_ENDPOINT: https://secretsmanager.ap-south-1.amazonaws.com
SECRET_ARN: Secret Manager ARN
USER_NAME: Elasticache Username

Resource based policy [4] to give secrets manager (secretsmanager.amazonaws.com) permission to invoke (lambda:InvokeFunction) lambda function.

Code: Take the code from [5]

3. Go back to AWS Secrets Manager -> Rotation and enable the rotation. Choose the newly created AWS Lambda function as a rotation function. Choose the rotation schedule that fits your needs.

step3b

Test

Click “Rotate secret immediately” on the AWS Secret Manager -> rotation console. After some time, you can see that a new version of the secret has been created.

step4

You can also view the Amazon CloudWatch logs for the AWS Lambda function for any errors/issues.

Conclusion

Adopting automated user credentials rotation using AWS Secrets Manager presents a pivotal step forward in fortifying the security posture of Amazon ElastiCache instances within AWS environments. By embracing best practices and leveraging cloud-native solutions, organizations can effectively mitigate the risks associated with credential exposure while optimizing operational efficiency.

As cybersecurity threats evolve, proactive measures such as regular credential rotation are indispensable pillars of a robust defense strategy. Through the insights gained in this exploration, businesses can embark on a journey towards enhanced resilience, confident in their ability to safeguard critical data and maintain compliance standards in the dynamic landscape of cloud computing.

Drop a query if you have any questions regarding AWS Secrets Manager and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Why is user credentials rotation important for Amazon ElastiCache?

ANS: – User credentials rotation is crucial for enhancing security by reducing the risk of unauthorized access to sensitive data stored in Amazon ElastiCache instances. Regular rotation helps mitigate the impact of potential credential exposure due to security breaches or insider threats.

2. What are the challenges associated with manual credential rotation?

ANS: – Manual credential rotation can be time-consuming, error-prone, and disruptive to operations. Coordinating rotation schedules across multiple instances and ensuring consistency in the process poses significant challenges for IT teams.

3. What are the benefits of using AWS Secrets Manager for credential rotation?

ANS: – By leveraging AWS Secrets Manager, organizations can automate the entire credential rotation process, ensuring timely updates and minimizing the risk of security breaches. Additionally, AWS Secrets Manager enhances audibility and compliance by maintaining a detailed history of credential changes.

WRITTEN BY Avinash Kumar

Avinash Kumar is a Senior Research Associate at CloudThat, specializing in Cloud Engineering, NodeJS development, and Google Cloud Platform. With his skills, he creates innovative solutions that meet the complex needs of today's digital landscape. He's dedicated to staying at the forefront of emerging cloud technologies.