AWS Secrets Manager and RDS Database: Troubleshooting Intermittent Sign-In Failures

How to Resolve Intermittent Sign-In Failures with AWS Secrets Manager and RDS Database

Question

An application deployed to EC2 is configured to use AWS Secrets Manager to rotate secrets for the RDS database.

The application experiences occasional intermittent sign-in failures.What options can resolve this issue (SELECT TWO)?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: A and C.

Option A is CORRECT because exponential back-off implements retry functionality in the application.

Option B is incorrect because the issues described in the question occur when Sing-User Rotation is configured.

Option C is CORRECT because enabling multi-user rotation can solve this issue.

Option D is incorrect because the issue is not with permissions since it occurs intermittently.

Option E is incorrect because it does not help to resolve the intermittent sign-in issue.

When using “Single-User Rotation” mode in AWS Secrets Manager, Secrets Manager uses a single user to rotate its own credentials.Sign-in failures can occur between the moment when the old password is removed by the rotation and the moment when the updated password is made accessible as a new version of the secret.

This time window should be very short, but it can happen.

There are two ways to avoid this issue:

1

The application can implement retry with an exponential back-off strategy.Thus, the application would retry sign-in several times over a longer time period.A failure should be reported only after repeated sign-in failures.

2

Multi-User Rotation can be enabled.In this scenario, separate “master” user credentials are used for secret rotation.

The old version of the secret continues to operate and handle service requests while the new version is prepared and tested.

The old version isn't deleted until after the clients switch to the new version.

There's no downtime while changing between versions.

Reference:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/

The issue of intermittent sign-in failures for an application deployed on EC2 and configured to use AWS Secrets Manager to rotate secrets for an RDS database could be caused by a number of factors. Here are the two most likely options that could resolve the issue:

  1. Implement Exponential Backoff in your application. Exponential backoff is a strategy that involves increasing the time between retries after each unsuccessful attempt to access a resource. This can help prevent overloading the RDS database with too many requests in a short period of time. By implementing exponential backoff in the application, it will wait for an increasing amount of time between each attempt, which can help alleviate intermittent sign-in failures.

  2. Use Multi-User Rotation. Multi-User Rotation is a feature of AWS Secrets Manager that allows for multiple users or applications to simultaneously access a secret. This is in contrast to Single-User Rotation, which allows only one user or application to access a secret at a time. If the application experiencing sign-in failures is being used by multiple users or applications, implementing Multi-User Rotation could help alleviate the issue by allowing multiple simultaneous access to the secret.

Other options in the list are less likely to resolve the issue:

  • Single-User Rotation: This option could actually exacerbate the issue if multiple users or applications are attempting to access the secret at the same time, since it only allows for one user at a time.
  • Grant service principal secretsmanager.amazonaws.com IAM permission lambda:InvokeFunction: This option would only be relevant if the application was using a Lambda function to access the secret, which is not mentioned in the question.
  • Make sure the secret is not encrypted with KMS: This option would only be relevant if the secret was encrypted with KMS, which is not mentioned in the question. Additionally, if the secret is not properly encrypted, the issue would likely manifest as a security concern rather than intermittent sign-in failures.