Profile picture
Eric Hammond @esh
, 8 tweets, 1 min read Read on Twitter
I'm starting to understand that it's "AWS Secrets Manager" not "AWS Secrets Store", and that the biggest part of that management seem to be the automated, transparent, reliable secret rotation. /1
Now that I can see a smooth path to regular secret rotation with AWS Secrets Manager, I'm starting to feel like I've been living in primitive times letting my database passwords sit at the same value for months (ok, years). /2
AWS Secrets Manager documentation shows an example of rotating a password every 10 days, but now that I've seen the light, I'm thinking, "Why not every hour?!" /3
In fact, why not rotate the secret using AWS Secret Manager shortly after the longest time we expect it to take to use that secret? /4
If a database client is likely to take less than 30 seconds to connect to the server after requesting the password, we could rotate that secret every minute (using the two-user method described in the AWS Secret Manager docs). /5
This moves in the direction of single-use secrets that are handed out when a client has been authorized with the current IAM permissions. /6
I can imagine that some third party services might not appreciate credential/token rotation requests at super-frequent rates. /7
The ideal would be to have every service authenticate clients/requests live with IAM directly, but until then, frequent secret rotation with AWS Security Manager seems worth investigating. /end
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Eric Hammond
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!