Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
    • Security
Google Cloud Platform icon
Labs

Standing Up an Amazon Aurora Database with an Automatically Rotated Password Using AWS Secrets Manager

During this hands-on lab you will learn how to leverage the AWS Secrets Manager to securely create and rotate an administrator password for an Amazon Aurora deployment.

Google Cloud Platform icon
Lab platform
Lab Info
Level
Intermediate
Last updated
Sep 24, 2025
Duration
45m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents
  1. Challenge

    Create MySQL-compatible Amazon Aurora Database
    • Create a new Amazon Aurora MySQL-compatible database
    • Use the standard create option
    • Leave the engine version as the default
    • Select a Dev/Test template
    • Use employees-database as the DB cluster identifier
    • Use admin as the master username
    • Enable using AWS Secrets Manager to manage the master credentials
    • Use the default KMS key for encryption of the password (aws/secretsmanager)
    • Use an Aurora Standard configuration option
    • Select a db.t3.medium burstable class instance type
    • Do not create an Aurora replica
    • Enable connectivity to Connect to an EC2 compute resource
    • Select the DatabaseClient EC2 instance
    • Create a new VPC Security Group called database-sg
    • Create an initial database named employees_db
  2. Challenge

    Connect to the Aurora Database and Import Data
    • Find and select your RDS credentials secret from the AWS Secrets Manager service (Example: rds!cluster-a5fd421e-64e5-4580-be8e-006919539758)

    • Refresh the page to ensure you are using the latest version of the secret. RDS will run an initial rotation once the RDS instance is created!

    • Retrieve the secret value from the secret and keep the tab open

    • Go back to your DatabaseClient EC2 connection

    • Create a new local file called employees.txt within the /home/ssm-user/ directory that contains the soon to be imported data using this code block from the GitHub repo

    • Change the directory to the ssm-user home and cat the file to ensure the data was written.

    • Confirm the status of the Amazon Aurora database writer endpoint is Available and copy the endpoint name.

    • In Session Manager, connect to your RDS instance writer endpoint using the below command. Make sure you change the value for host to the writer endpoint name. The user and password are your Secrets Manager secret that you set in previous steps.

    mysql --host=CHANGE_TO_WRITER_ENDPOINT_NAME --user=admin --password employees_db
    
    • Once prompted for the password, use the value retrieved from AWS Secrets Manager. (If you get an error, refresh the page, copy the latest secret value, rerun the command, and enter the new value for the password prompt).

    • You should now see the MySQL prompt!

    • Create a new table called Employees for later use: GitHub Repo - Create Table

    • Load the data using the following SQL query: GitHub Repo - Load Data

    • Verify the data was imported by viewing data in the table:

    SELECT *
    FROM Employees;
    
  3. Challenge

    Trigger Credential Rotation
    • Quit your RDS connection within the EC2 Session Manager terminal and go back to the ssm-user home directory
    • Within the AWS Secrets Manager service (console or API/CLI), trigger an immediate rotation of the RDS credential secret
    • Ensure the version status has changed before moving on
  4. Challenge

    Test Connection with New Credentials
    • After the rotation is completed in AWS Secrets Manager navigate back to your EC2 Session Manager connection
    • Attempt to connect to RDS using the same credentials from before (This should fail now)
    • Within AWS Secrets Manager, retrieve the update secret value for the RDS credentials
    • Re-connect to RDS using the new password value for your Master Username
  5. Challenge

    Verify MySQL Client Installation
    • Connect to the DatabaseClient EC2 instance using Session Manager
    • Verify the MySQL client is installed:
    sudo yum list installed | grep mariadb
    
    • If not installed, install it:
    sudo yum install -y mysql
    
About the author

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight