Rotating RDS Custom for Oracle credentials for compliance programs
Some compliance programs require database user credentials to change periodically, for example, every 90 days. RDS Custom for Oracle automatically rotates credentials for some predefined database users.
Topics
Automatic rotation of credentials for predefined users
If your RDS Custom for Oracle DB instance is hosted in Amazon RDS, credentials for the following predefined Oracle users rotate every 30 days automatically. Credentials for the preceding users reside in AWS Secrets Manager.
| Database user | Created by | Supported engine versions | Notes |
|---|---|---|---|
|
|
Oracle |
custom-oracle-ee custom-oracle-ee-cdb custom-oracle-se2 custom-oracle-se2-cdb | |
|
|
Oracle |
custom-oracle-ee custom-oracle-ee-cdb custom-oracle-se2 custom-oracle-se2-cdb | |
|
|
RDS |
custom-oracle-ee custom-oracle-se2 | |
|
|
RDS |
custom-oracle-ee-cdb custom-oracle-se2-cdb | User names with a C## prefix exist only in CDBs. For more information about
CDBs, see Overview of Amazon RDS Custom for Oracle architecture. |
|
|
RDS |
custom-oracle-ee | This user exists only in read replicas, source databases for read replicas, and databases that you have physically migrated into RDS Custom using Oracle Data Guard. |
|
|
RDS |
custom-oracle-ee-cdb | This user exists only in read replicas, source databases for read replicas, and databases
that you have physically migrated into RDS Custom using Oracle Data
Guard. User names with a C## prefix exist only in CDBs.
For more information about CDBs, see Overview of Amazon RDS Custom for Oracle architecture. |
An exception to the automatic credential rotation is an RDS Custom for Oracle DB instance that you
have manually configured as a standby database. RDS only rotates credentials for
read replicas that you have created using the
create-db-instance-read-replica CLI command or
CreateDBInstanceReadReplica API.
Guidelines for rotating user credentials
To make sure that your credentials rotate according to your compliance program, note the following guidelines:
If your DB instance rotates credentials automatically, don't manually change or delete a secret, password file, or password for users listed in Predefined Oracle users. Otherwise, RDS Custom might place your DB instance outside of the support perimeter, which suspends automatic rotation.
The RDS master user is not predefined, so you are responsible for either changing the password manually or setting up automatic rotation in Secrets Manager. For more information, see Rotate AWS Secrets Manager secrets.
Rotating user credentials manually
For the following categories of databases, RDS doesn't automatically rotate the credentials for the users listed in Predefined Oracle users:
-
A database that you configured manually to function as a standby database.
-
An on-premises database.
-
A DB instance that is outside of the support perimeter or in a state in which the RDS Custom automation can't run. In this case, RDS Custom also doesn't rotate keys.
If your database is in any of the preceding categories, you must rotate your user credentials manually.
To rotate user credentials manually for a DB instance
Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/
. -
In Databases, make sure that RDS isn't currently backing up your DB instance or performing operations such configuring high availability.
-
In the database details page, choose Configuration and note the Resource ID for the DB instance. Or you can use the AWS CLI command
describe-db-instances. -
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/
. -
In the search box, enter your DB Resource ID and find the secret in the following form:
do-not-delete-rds-custom-db-resource-id-numeric-stringThis secret stores the password for
RDSADMIN,SYS, andSYSTEM. The following sample key is for the DB instance with the DB resource IDdb-ABCDEFG12HIJKLNMNOPQRS3TUVWX:do-not-delete-rds-custom-db-ABCDEFG12HIJKLNMNOPQRS3TUVWX-123456Important
If your DB instance is a read replica and uses the
custom-oracle-ee-cdbengine, two secrets exist with the suffixdb-resource-id-numeric-stringRDSADMIN,SYS, andSYSTEM. To find the correct secret, run the following command on the host:cat /opt/aws/rdscustomagent/config/database_metadata.json | python3 -c "import sys,json; print(json.load(sys.stdin)['dbMonitoringUserPassword'])"The
dbMonitoringUserPasswordattribute indicates the secret forRDSADMIN,SYS, andSYSTEM. -
If your DB instance exists in an Oracle Data Guard configuration, find the secret in the following form:
do-not-delete-rds-custom-db-resource-id-numeric-string-dgThis secret stores the password for
RDS_DATAGUARD. The following sample key is for the DB instance with the DB resource IDdb-ABCDEFG12HIJKLNMNOPQRS3TUVWX:do-not-delete-rds-custom-db-ABCDEFG12HIJKLNMNOPQRS3TUVWX-789012-dg -
For all database users listed in Predefined Oracle users, update the passwords by following the instructions in Modify an AWS Secrets Manager secret.
-
If your database is a standalone database or a source database in an Oracle Data Guard configuration:
-
Start your Oracle SQL client and log in as
SYS. -
Run a SQL statement in the following form for each database user listed in Predefined Oracle users:
ALTER USERuser-nameIDENTIFIED BYpwd-from-secrets-managerACCOUNT UNLOCK;For example, if the new password for
RDSADMINstored in Secrets Manager ispwd-123, run the following statement:ALTER USER RDSADMIN IDENTIFIED BY pwd-123 ACCOUNT UNLOCK;
-
-
If your DB instance runs Oracle Database 12c Release 1 (12.1) and is managed by Oracle Data Guard, manually copy the password file (
orapw) from the primary DB instance to each standby DB instance.If your DB instance is hosted in Amazon RDS, the password file location is
/rdsdbdata/config/orapw. For databases that aren't hosted in Amazon RDS, the default location is$ORACLE_HOME/dbs/orapw$ORACLE_SIDon Linux and UNIX and%ORACLE_HOME%\database\PWD%ORACLE_SID%.oraon Windows.
