This lab is currently in Beta, content may be updated as we refine the material
LABINTERMEDIATE

Secrets Manager Rotation Pattern

Configure managed rotation for an RDS secret in AWS Secrets Manager, invoke an on-demand rotation, and trace the multi-version lifecycle.

45 minutes
aws/devops
Secrets Manager Rotation Pattern - Platform Engineering Hands-On Lab Icon

Lab Overview

Automatic secret rotation is a cornerstone of DevOps security posture. Instead of manual credential rotation (which is error-prone and often skipped), Secrets Manager can invoke a Lambda function on a schedule to rotate credentials without downtime.

In this lab you'll act as the security engineer for a production RDS deployment. You will:

  • Create a database secret in Secrets Manager with a realistic JSON structure (username, password, host, port, dbname)
  • Author a Python-based rotation Lambda function that implements the four-step rotation lifecycle (createSecret, setSecret, testSecret, finishSecret)
  • Create the IAM execution role that allows Secrets Manager to invoke the rotation Lambda
  • Enable managed rotation on a 30-day schedule, then trigger an immediate rotation on demand
  • Retrieve the secret at AWSCURRENT, AWSPENDING, and AWSPREVIOUS version stages to prove rotation actually cycled the credential
  • Document the rotation pattern, Lambda anatomy, and version lifecycle for your operations runbook

No RDS instance is provisioned. The rotation Lambda updates the secret value itself, simulating the full lifecycle so you can focus on the Secrets Manager mechanics without database overhead.

What You'll Learn

Create an RDS-style database secret in AWS Secrets Manager with proper JSON structure and tags

Write a Python Lambda function that implements the four-step rotation lifecycle

Craft an IAM execution role with the minimum permissions required for managed rotation

Enable automatic rotation on a schedule and trigger an immediate on-demand rotation

Retrieve and compare AWSCURRENT, AWSPENDING, and AWSPREVIOUS secret versions

Document the rotation pattern, Lambda anatomy, and version lifecycle for operational runbooks

Prerequisites

basic-aws-cli-familiarity

aws-associate-level-knowledge

completed-aws-devops-cli-operations-baseline-lab

Technologies Covered

awssecrets-managerrotationlambdaiamsecuritydop-c02

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now