Posted On: Dec 22, 2021

AWS Secrets Manager now transparently supports SSL connections when rotating database secrets for Amazon RDS MySQL, MariaDB, SQL Server, PostgreSQL, and MongoDB. You can now enforce SSL to be always enabled for these databases, without first modifying AWS Lambda resources provided by AWS Secrets Manager. 

Secrets Manager has always supported SSL connections to databases, but customers were responsible for updating their rotation Lambda code to include necessary certificates for Amazon RDS. Customers were also responsible for updating rotation code when RDS certificates rotated. With this launch, rotation Lambda code for all RDS databases (except Oracle) now connects to the database using SSL by default for new rotations. All necessary certificates are built-in and automatically updated. 

For new secret rotations, no additional action is needed to benefit from this feature. Simply set up the rotation as explained in the Secrets Manager user guide. For existing rotations, you must upgrade your rotation Lambdas to the latest version. For more details on how to upgrade, see Enabling SSL for Existing Rotations.