AWS Database Blog

Improve Amazon Timestream for InfluxDB security posture by automating rotation for long-lived credentials

In this post, we walk you through how to make your Amazon Timestream for InfluxDB deployments more secure by offering a mechanism to automatically rotate long-lived credentials. We use AWS Secrets Manager to store your tokens and user credentials as secrets and rotate the secrets using the included AWS Lambda functions. Timestream for InfluxDB only provides long-lived credentials without support for expiration or configurable time limits, which can pose a security risk if they become exposed. To learn more about Timestream for InfluxDB and secrets, see How Amazon Timestream for InfluxDB uses secrets.

Secrets Manager is a secret storage service that you can use to protect your Timestream for InfluxDB credentials. When you store credentials in a secret, you can replace hard-coded credentials with an API call to Secrets Manager. This reduces the risk of credentials accidentally being exposed. Secrets Manager supports rotating secrets by way of Lambda functions.

You can rotate Timestream for InfluxDB users and tokens by creating a new secret and using either the InfluxDB single- or multi-user secret rotation Lambda functions. Secret rotation for your database credentials is a security best practice defined in the Identity Management section of the AWS Well-Architected framework. When you rotate secrets with Secrets Manager, exposed credentials are only valid until another secret rotation occurs, limiting the credentials’ usability for malicious actors.

Follow along with this post to learn how to rotate long-lived credentials for your Timestream for InfluxDB instance. You can find the required Lambda function code on the Github repo to begin building your own automated secret rotation solution for your Timestream for InfluxDB users and tokens.

Solution overview

When you create a new Timestream for InfluxDB instance, an admin secret is automatically created with the admin user credentials in Secrets Manager. By default, this secret doesn’t have rotation enabled, and you can rotate the secret with the InfluxDB single-user secret rotation Lambda function.

The InfluxDB single-user secret rotation Lambda function rotates user credentials by authenticating the user defined in the secret and updating the password with a new random password.

The InfluxDB multi-user secret rotation Lambda function can rotate a token by creating a new permission identical token and automatically replacing the old token. The multi-user rotator can rotate an existing token in the Timestream for InfluxDB instance, or create a new token when the AUTHENTICATION_CREATION_ENABLED environment variable is set to true in the Lambda function.

The following diagram illustrates the architecture used for rotating secrets with Secrets Manager and the single- or multi-user secrets rotation Lambda functions.

Solution architecture

Prerequisites

Before you deploy the solution, complete the following steps:

  1. Create a Timestream for InfluxDB instance. The secret rotation functions require a Timestream for InfluxDB instance to rotate credentials. Refer to Run and manage open source InfluxDB databases with Amazon Timestream to create a new instance if needed.
  2. When the Timestream for InfluxDB instance is available, choose your instance on the Amazon Timestream management console and take note of the authentication properties Secrets Manager Amazon Resource Name (ARN) and DB instance identifier; you will need these values to configure your secret rotation functions. To locate an admin secret for a Timestream for InfluxDB instance, use the authentication properties Secrets Manager ARN from the Timestream for InfluxDB instance summary page.
  3. To build the deployment, clone the secret rotation GitHub repository. Use the single-user function for rotating user credentials, and the multi-user function for rotating token credentials.
  4. Open your preferred terminal and navigate to the SecretsManagerInfluxDBRotationMultiUser directory for the multi-user function, or the SecretsManagerInfluxDBRotationSingleUser directory for the single-user function.
  5. For macOS or Linux, complete the following steps:
    1. Create a temporary directory for the application code and dependencies with the following command:
      mkdir tmp-influxdb-deployment-lambda
    2. Install the required dependencies into the temporary directory with the following command:
      pip3 install influxdb-client boto3 -t ./tmp-influxdb-deployment-lambda
    3. Copy the Lambda code into the temporary directory with the following command:
      cp ./lambda_function.py ./tmp-influxdb-deployment-lambda/
    4. Zip the contents of the temporary directory for uploading to Lambda with the following command:
      zip -r ./influxdb-secret-rotation-lambda.zip ./tmp-influxdb-deployment-lambda/*
    5. Clean up by deleting the temporary directory with the following command:
      rm -rf tmp-influxdb-deployment-lambda
    6. Make the deployment package executable with the following command:
      sudo chmod +x influxdb-secret-rotation-lambda.zip

    The deployment is now ready with the name influxdb-secret-rotation-lambda.zip for uploading as a Lambda function.

  6. For Windows, complete the following steps using Windows PowerShell prompt:
    1. Create a temporary directory for the application code and dependencies with the following command:
      mkdir tmp-influxdb-deployment-lambda
    2. Install the required dependencies into the temporary directory with the following command:
      pip3 install influxdb-client boto3 -t .\tmp-influxdb-deployment-lambda --no-user
    3. Copy the Lambda code into the temporary directory with the following command:
      copy .\lambda_function.py .\tmp-influxdb-deployment-lambda
    4. Zip the contents of the temporary directory for uploading to Lambda with the following command:
      Compress-Archive -Path .\tmp-influxdb-deployment-lambda\* -DestinationPath .\influxdb-secret-rotation-lambda.zip -CompressionLevel Optimal -Force
    5. Clean up by deleting the temporary directory with the following command:
      Remove-Item -Path .\tmp-influxdb-deployment-lambda -Force -Recurse

The build script creates a file with the name influxdb-secret-rotation-lambda.zip. Use this file to create a Lambda function in the following sections.

Deploy the Lambda function

Complete the steps in this section to deploy the Lambda function to rotate your secrets.

Create the Lambda function

To create your Lambda function, complete the following steps:

  1. On the Lambda console, choose Functions in the navigation pane.
  2. Choose Create function, and select Author from scratch.
  3. For Function name, enter a name for your function.
  4. For Runtime, choose Python 3.12.
  5. Choose Create function.

Lambda function creation

Upload the deployment package

Complete the following steps to upload the deployment package:

  1. On the function overview page of the Lambda function, choose Code.
  2. Choose Upload from and select .zip
  3. Choose Upload and choose the influxdb-secret-rotation-lambda.zip deployment package that was created by the build script in the previous section.
  4. Choose Save.

Configure environment variables for the Lambda function

Complete the following steps:

  1. On the function overview page of the Lambda function, choose Configuration.
  2. Choose Environment Variables and choose Edit.
  3. Choose Add environment variable.
  4. Enter SECRETS_MANAGER_ENDPOINT for the key value.
  5. Enter https://secretsmanager.{region}.amazonaws.com and replace {region} with the same AWS Region where you created the Lambda function.
  6. Choose Save.

If you are deploying the multi-user function, you can create non-operator tokens by leaving the token value blank in the secret. To enable this feature, add the following environment variable.

  1. Choose Add environment variable.
  2. Enter AUTHENTICATION_CREATION_ENABLED for the key and true for the value.
  3. Choose Save.

Configure environment variables

Configure the Lambda function role

Complete the following steps to configure the AWS Identity and Access Management (IAM) role for the Lambda function:

  1. In the Configuration section of the function overview page, choose Permissions.
  2. Under Execution role, choose the link to the Lambda role name to view the role on the IAM console.
  3. Under Permissions policies, choose Add permissions and Create inline policy.
  4. For Policy editor, choose JSON.
  5. Replace the JSON in the text editor with either the multi-user secret rotation policy or the single-user secret rotation policy.

Use the following IAM policy as the role for the multi-user Lambda function. The policy gives the Lambda function the required permissions to perform a secret rotation for Timestream for InfluxDB tokens.

Replace the following items in the IAM policy with values from your AWS account:

  • {rotating_secret_arn} – The ARN for the secret being rotated can be found in the Secrets Manager secret details
  • {authentication_properties_admin_secret_arn} – The Timestream for InfluxDB admin secret ARN can be found on the Timestream for InfluxDB instance summary page
  • {db_instance_arn} – The Timestream for InfluxDB instance ARN can be found on the Timestream for InfluxDB instance summary page
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": "{rotating_secret_arn}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "{authentication_properties_admin_secret_arn}"
        },
        {
            "Action": [
                "timestream-influxdb:GetDbInstance"
            ],
            "Resource": "{db_instance_arn}",
            "Effect": "Allow"
        }
    ]
}

Use the following IAM policy as the role for the single-user Lambda function. The policy gives the Lambda function the required permissions to perform a secret rotation for Timestream for InfluxDB users.

Replace the following items in the IAM policy with values from your AWS account:

  • {rotating_secret_arn} – The ARN for the secret being rotated can be found in the Secrets Manager secret details
  • {db_instance_arn} – The Timestream for InfluxDB instance ARN can be found on the Timestream for InfluxDB instance summary page
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": "{rotating_secret_arn}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "timestream-influxdb:GetDbInstance"
            ],
            "Resource": "{db_instance_arn}",
            "Effect": "Allow"
        }
    ]
}
  1. Choose Next.
  2. Enter a policy name and choose Create policy.

Configure invoke Lambda permissions for the Lambda function

Complete the following steps:

  1. Navigate back to the Lambda function Permissions
  2. Under Resource-based policy statements, choose Add permissions.
  3. Choose AWS service.
  4. Select Secrets Manager under Service.
  5. Enter a statement ID of your choosing.
  6. For Principal, select lambda:InvokeFunction under Action.
  7. Choose Save.

Configure Lambda function timeout

Complete the following steps:

  1. Navigate to the Lambda function General configuration
  2. Under General configuration, choose Edit.
  3. Set the Timeout to 1 minute.
  4. Choose Save.

This concludes the configuration for your InfluxDB secret rotation Lambda function.

Create a Secrets Manager secret

Complete the following steps to configure the Secrets Manager secret:

  1. On the Secrets Manager console, choose Secrets in the navigation pane.
  2. Choose Store a new secret.
  3. Select Other type of secret.
  4. Choose Plaintext under Key/value pairs.
  5. Enter one of the following options, depending on whether you’re storing token, user, or admin credentials in the secret.

When you create a Timestream for InfluxDB instance, an admin secret is automatically stored in Secrets Manager with credentials to be used with the multi-user Lambda function. Set the adminSecretArn to the authentication properties Secrets Manager ARN value found on the Timestream for InfluxDB instance summary page.

When you store Timestream for InfluxDB token credentials in the secret, use the following format:

{
    'engine': <required: must be set to 'timestream-influxdb'>,
    'org': <required: organization to associate token with>,
    'adminSecretArn': <required: arn of the admin secret>,
    'type': <required: 'allAccess' or 'operator' or 'custom'>,
    'dbIdentifier': <required: DB identifier>,
    'token': <required unless generating a new token: token being rotated>,
    'writeBuckets': <optional: list of bucketIDs for custom type token, must be input within plaintext panel. e.g. ['id1','id2']>,
    'readBuckets': <optional: list of bucketIDs for custom type token, must be input within plaintext panel. e.g. ['id1','id2']>,
    'permissions': <optional: list of permissions for custom type token, must be input within plaintext panel. e.g. ['write-tasks','read-tasks']>
}

When you store Timestream for InfluxDB user credentials in the secret, use the following format:

{
    'engine': <required: must be set to 'timestream-influxdb'>,
    'username': <required: username>,
    'password': <required: password>,
    'dbIdentifier': <required: DB identifier>,
}

When you store Timestream for InfluxDB admin credentials in the secret, use the following format:

{
    'engine': <required: must be set to 'timestream-influxdb'>,
    'username': <required: username>,
    'password': <required: password>,
    'dbIdentifier': <required: DB identifier>,
    'organization': <optional: initial organization>,
    'bucket': <optional: initial bucket>,
}
  1. Choose Next.
  2. Enter a name for the secret.
  3. Choose Next.
  4. Choose Next (we configure the rotation after we deploy the Lambda function).
  5. Choose Store.

Define the secret

Configure Secrets Manager secret rotation

Complete the following steps to configure your secrets rotation:

  1. On the Secrets Manager console, choose Secrets in the navigation pane.
  2. Choose the secret that you created.
  3. Choose Rotation and then Edit rotation.
  4. Choose Automatic rotation.
  5. Fill in the rotation schedule.
  6. Select Rotate immediately when the secret is stored.
  7. Under Rotation function, choose the Lambda function you previously deployed.
  8. Choose Save.

Secret rotaiton configuration

Verify the token

Complete the following steps to verify the token:

  1. On the Secrets Manager console, choose Secrets in the navigation pane.
  2. Choose the secret you created.
  3. In the Overview section, choose Retrieve secret value.

If everything went correctly, you should see a new token value in the secret if you are using the multi-user rotation Lambda function, or a new password if you are using the single-user rotation Lambda function.

If the value for the token or password has not changed, refer to the next section for troubleshooting using Amazon CloudWatch.

View CloudWatch logs

Complete the following steps to view the function’s CloudWatch logs:

  1. On the Lambda console, choose Functions in the navigation pane.
  2. Choose the function you created.
  3. Choose Monitor.
  4. Choose View CloudWatch logs.
  5. Choose the latest log stream under Log streams.
  6. Look for Error or Info logs that can help determine the reason for failure to rotate the secret.

Clean up

To avoid ongoing charges to your account, delete the resources you created in this walkthrough.

Delete the Lambda function and Lambda execution role

Complete the following steps to delete the Lambda function and the Lambda execution role:

  1. On the Lambda console, choose Functions in the navigation pane.
  2. Choose the function you created.
  3. Choose Configuration.
  4. Choose the role name for the Lambda execution role to open the role in a new tab.
  5. Choose Delete to delete the Lambda execution role.
  6. Enter the Lambda execution role name in the confirmation text box.
  7. Choose Delete.
  8. Return to the Lambda function tab, and on the Actions menu, choose Delete.
  9. Choose Delete.

Delete the Timestream for InfluxDB instance

Complete the following steps to delete your Timestream for InfluxDB instance:

  1. On the Timestream console, choose InfluxDB databases in the navigation pane.
  2. Choose the database you created.
  3. Choose Delete.
  4. Enter confirm in the confirmation text box and choose Delete.

Delete the Secrets Manager secret

Complete the following steps to delete your secret:

  1. On the Secrets Manager console, choose Secrets in the navigation pane.
  2. Choose the secret you created.
  3. On the Actions menu, choose Delete.
  4. Enter a number between 7–30 days for a waiting period and choose Schedule deletion.

Conclusion

In this post, we showed you how to use single- and multi-user secret rotation Lambda functions to rotate credentials for your Timestream for InfluxDB instance. You can use the secret rotation functions to rotate an authorization token or user password periodically to align with security best practices for credential rotation. With secret rotation Lambda functions, you can limit the threat vector of exposed database credentials to the window of time between the next secret rotation.

Check out How Amazon Timestream for InfluxDB uses secrets for more information on using secrets with Timestream for InfluxDB.


About the Author

Author profileForest Vey is a Senior Software Developer at Improving. He is experienced working with time series data and serverless technologies. After 5 years of experience developing cloud infrastructure and embedded systems applications, he has gained proficiency in designing software solutions from application components to deployment architectures. When not immersed in learning about software development, he enjoys rock climbing and playing sports with his friends.