Interview › Databases & Caching
How do you rotate database credentials, and how does Secrets Manager help?
Databases & Caching · Basic level
Answer
I rotate DB credentials through AWS Secrets Manager or an equivalent secrets system. The rotation process updates the database user password, updates secret versions, and ensures applications pick up the new credential without hardcoded values or manual redeploy risk.
Technical explanation
Use least-privilege application users instead of the master user.
Rotation must account for connection pools and long-lived pods using old credentials.
Alternating-user rotation can provide lower downtime because one credential remains valid while the other rotates.
Hands-on example
Rotation checklist:
1. Store prod/orders/db in Secrets Manager.
2. Grant only the app role secretsmanager:GetSecretValue.
3. Enable tested rotation Lambda.
4. Restart or reload app pools safely.
5. Monitor failed logins and connection errors.
CLI:
$ aws secretsmanager describe-secret --secret-id prod/orders/db
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Databases & Caching interview questions
- What is Amazon RDS, and what does it manage for you versus self-managed databases?
- What database engines does RDS support?
- What is the difference between RDS and Aurora?
- What is Multi-AZ in RDS, and how does automatic failover work?
- How long does an RDS Multi-AZ failover typically take, and what triggers it?
- What is the difference between Multi-AZ and a read replica?
- When would you use a read replica, and can it become a standalone database?
- Can a read replica be in a different region, and why would you do that?