Automatically rotating passwords for users
With Amazon Secrets Manager, you can replace hardcoded credentials in your code (including passwords) with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure that the secret can't be compromised by someone examining your code, because the secret simply isn't there. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a schedule that you specify. This enables you to replace long-term secrets with short-term ones, which helps to significantly reduce the risk of compromise.
Using Secrets Manager, you can automatically rotate your ElastiCache (Redis OSS) passwords (that is, secrets) using an Amazon Lambda function that Secrets Manager provides.
For more information about Amazon Secrets Manager, see What is Amazon Secrets Manager?
How ElastiCache uses secrets
With Redis OSS 6, ElastiCache (Redis OSS) introduced Role-Based Access Control (RBAC) to secure the Redis OSS cluster. This feature allows certain connections to be limited in terms of the commands that can be executed and the keys that can be accessed. With RBAC, while the customer creates a user with passwords, the password values need to be manually entered in plaintext and is visible to the operator.
With Secrets Manager, applications fetch the password from Secrets Manager rather than entering them manually and storing them in the application's configuration. For information on how to do this, see How ElastiCache users are associated with the secret.
There is a cost incurred for using secrets. For pricing information, see Amazon Secrets Manager Pricing
How ElastiCache users are associated with the secret
Secrets Manager will keep a reference for the associated user in the secret’s SecretString
field. There will be no reference to the secret from ElastiCache side.
{ "password": "strongpassword", "username": "user1", "user_arn": "arn:aws:elasticache:us-east-1:xxxxxxxxxx918:user:user1" //this is the bond between the secret and the user }
Lambda rotation function
To enable Secrets Manager automatic password rotation, you will create a Lambda function that will interact with the modify-user API to update the user’s passwords.
For information on how this works, see How rotation works.
Note
For some Amazon services, to avoid the confused deputy scenario, Amazon recommends that you use both the aws:SourceArn
and
aws:SourceAccount
global condition keys. However, if you include the aws:SourceArn
condition in your rotation function policy,
the rotation function can only be used to rotate the secret specified by that ARN. We recommend that you include only the context key aws:SourceAccount
so that you can use the rotation function for multiple secrets.
For any issues you may encounter, see Troubleshoot Amazon Secrets Manager rotation.
How to create an ElastiCache user and associate it with Secrets Manager
The following steps illustrate how to create a user and associate it with Secrets Manager:
Create an inactive user
For Linux, OS X, or Unix:
aws elasticache create-user \ --user-id user1 \ --user-name user1 \ --engine "REDIS" \ --no-password \ // no authentication is required --access-string "*off* +get ~keys*" // this disables the user
For Windows:
aws elasticache create-user ^ --user-id user1 ^ --user-name user1 ^ --engine "REDIS" ^ --no-password ^ // no authentication is required --access-string "*off* +get ~keys*" // this disables the user
You will see a response similar to the following:
{ "UserId": "user1", "UserName": "user1", "Status": "active", "Engine": "redis", "AccessString": "off ~keys* -@all +get", "UserGroupIds": [], "Authentication": { "Type": "no_password" }, "ARN": "arn:aws:elasticache:us-east-1:xxxxxxxxxx918:user:user1" }
Create a Secret
For Linux, OS X, or Unix:
aws secretsmanager create-secret \ --name production/ec/user1 \ --secret-string \ '{ "user_arn": "arn:aws:elasticache:us-east-1:123456xxxx:user:user1", "username":"user1" }'
For Windows:
aws secretsmanager create-secret ^ --name production/ec/user1 ^ --secret-string ^ '{ "user_arn": "arn:aws:elasticache:us-east-1:123456xxxx:user:user1", "username":"user1" }'
You will see a response similar to the following:
{ "ARN": "arn:aws:secretsmanager:us-east-1:123456xxxx:secret:production/ec/user1-eaFois", "Name": "production/ec/user1", "VersionId": "aae5b963-1e6b-4250-91c6-ebd6c47d0d95" }
Configure a Lambda function to rotate your password
Sign in to the Amazon Web Services Management Console and open the Lambda console at https://console.aws.amazon.com/lambda/
Choose Functions on the navigation pane and then choose the function you created. Choose the function name, not the checkbox to its left.
Choose the Configuration tab.
In General configuration, choose Edit and then set Timeout to at least 12 minutes.
Choose Save.
Choose Environment variables and then set the following:
SECRETS_MANAGER_ENDPOINT – https://secretsmanager.
REGION
.amazonaws.comSECRET_ARN – The Amazon Resource Name (ARN) of the secret you created in Step 2.
USER_NAME – Username of the ElastiCache user,
Choose Save.
Choose Permissions
Under Execution role, choose the name of the Lambda function role to view on the IAM console.
The Lambda function will need the following permission to modify the users and set the password:
ElastiCache
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:DescribeUsers", "elasticache:ModifyUser" ], "Resource": "arn:aws:elasticache:us-east-1:xxxxxxxxxx918:user:user1" } ] }
Secrets Manager
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "arn:aws:secretsmanager:us-east-1:xxxxxxxxxxx:secret:XXXX" }, { "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" } ] }
Set up Secrets Manager secret rotation
Using the Amazon Web Services Management Console, see Set up automatic rotation for Amazon Secrets Manager secrets using the console
For more information on setting up a rotation schedule, see Schedule expressions in Secrets Manager rotation.
Using the Amazon CLI, see Set up automatic rotation for Amazon Secrets Manager using the Amazon Command Line Interface