问题
We have a on-premise service that we want to move to AWS.
I'm investigating the possibility of moving it, and I'm unsure about password rotation and storage. I know that Secrets Manager can be used with RDS quite well, but I'm unsure how suitable it is for DocumentDB
When setting up a new DocumentDB cluster (using CF templates), it requires a master username and password. What would be the best approach to generating the password for this CF template? Could it be done using a secretsmanager:GetRandomPassword or is that bad practice?
回答1:
If you have used Secrets Manager with RDS, it should suit you wll with DocumentDB as well. While Secret Manager doesn't claim to support DocumentDB, they do have rotation lambda code for MongoDB[1]. Given that DocumentDB uses the same authentication protocol as MongoDB (SCRAM-SHA-1), theoretically you should be able to use the secret manager MongoDB lambda worker as is.
[1] https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerMongoDBRotationSingleUser/lambda_function.py
回答2:
AWS Secrets Manager now supports native integration with Amazon DocumentDB: https://aws.amazon.com/blogs/security/how-to-rotate-amazon-documentdb-and-amazon-redshift-credentials-in-aws-secrets-manager/
来源:https://stackoverflow.com/questions/54583161/password-rotation-on-aws-documentdb