This step sets up the password that your Lambda function will rotate later. You’re basically creating the “starting point” for your rotation system.
- Go to the AWS Console
- Search for Secrets Manager
- Open it
This starts the secret creation wizard.
You’re not storing RDS credentials — just a simple key/value pair.
In the key/value section:
- Key:
password - Value:
Admin@1234
This is your initial password. Lambda will replace it later.
Leave the default:
- aws/secretsmanager (default AWS-managed KMS key)
This is perfect for a beginner project.
Use:
MyApp/DB-Password
This is clean, structured, and easy to reference in Lambda.
Click Next → Next → Store Your secret is now created.
- Reading the current password from Secrets Manager
- Generating a new password
- Updating the secret with the new value
- Search for Lambda
- Click Create function
Fill in the details:
- Function name:
RotatePasswordFunction - Runtime: Python (recent version)
- Architecture: x86_64
- Permissions: Leave default (we’ll modify later)
Click Create function.
We will replace it in the next step.
You should now see:
- Function name at the top
- Code editor
- Configuration tabs
- Read the current secret
- Update the secret with a new password
- Decrypt the secret using KMS
Without these, the rotation will fail.
-
In the AWS Console, search for IAM
-
Click Roles
-
Find the role created for your Lambda
- It will look like: RotatePasswordFunction-role-xxxx
Click it.
- Add Secrets Manager permissions
- Go to IAM → Roles
- Search for the role created for your Lambda:
RotatePasswordFunction-role-xxxx- Open it and search for
- SecretsManagerReadWrite
- Check the box next to “SecretsManagerReadWrite"
- click the button "Add permissions"
The policy is now attached to your Lambda execution role
- Add KMS decrypt permission
- Go to IAM → Roles
- Search for the role created for your Lambda:
RotatePasswordFunction-role-xxxx- Scroll to the “Permissions” tab
- Click “Add permissions” → “Create inline policy”
Choose the JSON tab and paste this
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
Click “Next” → Name the policy as "KMSDecryptForRotation" and save.
- Secrets Manager read/write
- KMS decrypt
- Basic Lambda execution permissions
- Connects to AWS Secrets Manager
- Fetch the current password
- Generate a new random password
- Update the secret in Secrets Manager
- Go to Lambda
- Select your function: RotatePasswordFunction
import boto3
import string
import random
secrets_client = boto3.client('secretsmanager')
def generate_password(length=12):
characters = string.ascii_letters + string.digits + "!@#$%^&*"
return ''.join(random.choice(characters) for _ in range(length))
def lambda_handler(event, context):
secret_name = "MyApp/DBPassword"
# Get current secret value
current_secret = secrets_client.get_secret_value(SecretId=secret_name)
# Generate new password
new_password = generate_password()
# Update the secret with new password
secrets_client.put_secret_value(
SecretId=secret_name,
SecretString=f'{{"password": "{new_password}"}}'
)
return {
"status": "success",
"new_password": new_password
}- Your Lambda is now ready to rotate the password.
- Read the existing secret
- Generate a new password
- Update the secret in Secrets Manager
You’ll run it manually once to confirm everything works.
- Go to: Lambda → RotatePasswordFunction
- Click the “Test” tab
- Click Create new event
- Event name:
TestRotation - Leave the JSON as default:
{}
- Save
- Lambda will run immediately.
- Execution status: Succeeded
- In the output, you’ll see something like:
{
"status": "success",
"new_password": "A1b2C3!..."
}
- Go to Secrets Manager
- Open MyApp/DBPassword
- Click Retrieve secret value
- You should see a new password instead of
InitialPass123!
That confirms your rotation logic works end‑to‑end.
Right now, your Lambda rotates the password only when you manually run it. If you want the system to rotate passwords automatically (for example, every 30 days), you can add an EventBridge rule.
- Go to Amazon EventBridge and select EventBridge Schedule
- click Create Schedule
- Specify schedule detail
- Name:
RotatePasswordSchedule - Schedule pattern: Recurring schedule
- Schedule type:Cron-based schedule
- Name:
- Cron expression
Examples:
- Rotate every day at midnight
0 0 * * ? * - Rotate every 30 days (recommended for demo)
0 0 1 * ? * - But for simplicity, just use
cron(0/5 * * * ? *)for now (Rotates every 5 minutes)
- Rotate every day at midnight
- Set flexible time window to 5 min ( It lets AWS delay the execution of your scheduled task by a few minutes — intentionally. If your cron is set to run at 8:00 PM, and you choose a 5-minute window, AWS may run it anytime between 8:00 PM and 8:05 PM. This helps AWS balance load across millions of schedules )
- Click Next
- Target type: Lambda function
- Function: RotatePasswordFunction
- Now your Lambda will run automatically based on the schedule you set
- Built an automated password‑rotation system using AWS Secrets Manager, Lambda, and EventBridge.
- Wrote a Python Lambda function to generate and update secrets securely.
- Applied least‑privilege IAM permissions, including SecretsManagerReadWrite and kms:Decrypt.
- Scheduled automatic rotations using cron rules and validated end‑to‑end execution.
- Strengthened skills in serverless automation, KMS encryption, and cloud troubleshooting.