Is it good to have a password for the database which is generated by the secret manager?
I am using it this way now.
Type: 'AWS::SecretsManager::Secret'
Properties:
Description: 'Description'
GenerateSecretString:
SecretStringTemplate: '{"username": "username"}'
GenerateStringKey: 'password'
PasswordLength: 40
ExcludeCharacters: '"@/\'
What are the best practices? Do I need a separate secret manager for every RDS? What about storing other values in secret manager? Do I need one per application?
Yes, it is good to have rotational DB credentials managed by AWS secrets manger. It improves the security of your application. your DB credentials are no more stored in your project configuration. secrets manger takes care of this for you..
to understand the entire operations and best practices read this documentation from Amazon - https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
Option 2 If you just want to maintain your DB credentials out of your project configuration and don't want to automatically rotate secrets, you can create a simple secret in AWS Secrets manager to store your application DB credentials and then use read/get secret AWS SDK APIs(based on you app prog. language) to get the DB secrets at runtime in your application to connect with database.