Attacks against databases are one of the main threats to data security. For ApsaraDB RDS, Secrets Manager allows you to configure dynamic ApsaraDB RDS secrets that are automatically rotated on a regular basis. This reduces the security threats faced by business data.

Architecture

After dynamic ApsaraDB RDS secrets are used, you do not need to configure static passwords of database accounts for your applications. You can create fully managed ApsaraDB RDS secrets and set the interval of automatic rotation in Secrets Manager. Then, your applications can call the GetSecretValue operation to obtain the account password to access the managed ApsaraDB RDS instance. The password is valid only before the next rotation.

After an ApsaraDB RDS secret is rotated, the database account and password of the RDS instance for which the secret is created are also updated. We recommend that you do not delete the RDS instance in this case. If you delete the instance, rotation of the secret may fail.

RDS

Limits

You can create dynamic ApsaraDB RDS secrets only for ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB TX, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL instances. Note that you cannot create the secrets for RDS instances that run SQL Server 2017 EE.

Use dynamic ApsaraDB RDS secrets

  1. Create a dynamic ApsaraDB RDS secret
  2. Monitor the rotation of dynamic ApsaraDB RDS secrets
  3. Allow applications to access Secrets Manager