Hey everyone! I recently set up an RDS instance for MSSQL Server and used Secret Manager to store the master credentials. Now, I'm looking to tighten access to that secret so only a few selected DB admins can access it while keeping others out.
I know how to modify the secret's access policy, but I'm unsure if I need to ensure that the RDS service can still access it. If I restrict access to everyone except a few specific users or a role, will it affect RDS's functionality in any way? Specifically, will it impact its ability to run core automated tasks like backups, snapshots, or parameter management? Just to clarify, we don't have automatic secret rotation on for now, so I'm not worried about that. Any insights would be greatly appreciated! Thanks!
3 Answers
It's generally advisable to give access to roles or services rather than individuals. This approach not only simplifies management but also enhances security. Just make sure the DB admins have reliable access to the DB. How do you expect them to handle changes without access?
From what I gather, RDS itself doesn't need to read the secret directly. It might be safe to limit access as you're planning. However, I'd suggest testing it out in a sandbox environment first. Spin up a small RDS instance, tighten the secret permissions, and see if everything holds up as expected. Better safe than sorry!
Consider using IAM authentication instead! This way, every user will have temporary access that rotates automatically. Check out the AWS blog for a guide on setting it up with RDS Proxy. It's a pretty solid approach for securing your database access.
Good point! I'll definitely consider role-based access instead of individual users.