AWS Secrets Manager - Lambda rotation function for SSH keys

Please see a walk-through of using this function in How to use AWS Secrets Manager to securely store and rotate SSH key pairs.

The above post shows you how to deploy the rotation Lambda function and resources to test the rotation in the us-east-1 AWS region. See below if you want to deploy the function to a different region, or want to re-build the Lambda function ZIP.

License Summary

This sample code is made available under a modified MIT license. See the LICENSE file.

Deploying to an AWS region other than us-east-1

To deploy the rotation Lambda function to an AWS Region other than us-east-1:

1. Clone this repository to your desktop using git.

   git clone https://github.com/aws-samples/aws-secrets-manager-ssh-key-rotation.git
   

2. Create a new S3 bucket or reuse an existing S3 bucket in your chosen AWS region where you want to deploy the Lambda function. This S3 bucket will store the Lambda function ZIP file.
3. Upload the packaged Lambda function ZIP file dist/rotate_ssh_python3.9.zip to your S3 bucket. Note the S3 URL to the uploaded ZIP file (e.g. s3://bucketname/path/to/rotate_ssh_python3.9.zip)
4. Edit the packaged CloudFormation template secretsmanager_rotate_ssh_keys_packaged.yaml and change the CodeUri to point to your S3 URL. I.e. change this line:

         CodeUri: s3://awsiammedia/public/sample/SecretsManagerStoreRotateSSHKeyPairs/rotate_ssh.zip
   

5. Now you can create a new Stack in CloudFormation in your chosen AWS region using the modified packaged template.

Deploying the Lambda function ZIP file after making code changes

The Lambda rotation function uses the Python paramiko package that requires natively compiled cryptography libraries. For this reason, the Lambda function must be packaged on the same environment and architecture as the Lambda run-time for Python 3.9 - Amazon Linux 2 on x86_64.

The Lambda function is deployed using an AWS Serverless Application Model (SAM) template secretsmanager_rotate_ssh_keys.template that must be packaged before it can be deployed.

To deploy the Lambda function ZIP file after making code changes, or to re-package the CloudFormation template:

1. Create a new S3 bucket or reuse an existing S3 bucket in your chosen AWS region where you want to deploy the Lambda function. This S3 bucket will store the Lambda function ZIP file and packaged CloudFormation template. Note the S3 bucket name.
2. Launch an Amazon Linux 2 x86 EC2 instance in your chosen AWS region, ensuring that you can log into the instance using SSH or Systems Manager Session Manager. Ensure the EC2 Instance Profile for this instance has permissions to upload objects to your S3 bucket, invoke CloudFormation APIs, create IAM Roles, and create Lambda functions.
3. SSH or start a Session Manager session to log into the EC2 instance.
4. Install the development tools group:

   yum groupinstall development
   

5. Install Python 3.9 by building from the source. See this post for detailed instructions.
6. Clone this repository to the EC2 instance:

   git clone https://github.com/aws-samples/aws-secrets-manager-ssh-key-rotation.git
   

7. Edit the shell script deployer.sh and replace values for these variables to match the S3 bucket you identified above and your chosen AWS region:

   S3Bucket=BUCKET_NAME
   REGION=us-east-1
   

8. Run the shell script to package the Lambda ZIP file, package the CloudFormation SAM template, and deploy the template to your chosen AWS region:

   sh deployer.sh
   

9. The packaged ZIP file and the packaged CloudFormation template are uploaded to your S3 bucket.
10. Navigate to the CloudFormation console in your chosen AWS region to view the Stack named RotateSSH and see the resources created, including the rotation Lambda function.