Attacks against databases are one of the main threats to data security. For ApsaraDB RDS, Secrets Manager allows you to configure dynamic ApsaraDB RDS secrets that are automatically rotated on a regular basis. This reduces the security threats faced by business data.
Architecture
After dynamic ApsaraDB RDS secrets are used, you do not need to configure static passwords of database accounts for your applications. You can create fully managed ApsaraDB RDS secrets and set the interval of automatic rotation in Secrets Manager. Then, your applications can call the GetSecretValue operation to obtain the account password to access the managed ApsaraDB RDS instance. The password is valid only before the next rotation.
After an ApsaraDB RDS secret is rotated, the database account and password of the RDS instance for which the secret is created are also updated. We recommend that you do not delete the RDS instance in this case. If you delete the instance, rotation of the secret may fail.
Limits
You can create dynamic ApsaraDB RDS secrets only for ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB, ApsaraDB RDS for SQL Server, and ApsaraDB RDS for PostgreSQL instances. Note that you cannot create the secrets for RDS instances that run SQL Server 2017 EE.