Secrets Manager - AWS Study Guide (v2.0)

Learning Objectives

Understand the core purpose and capabilities of AWS Secrets Manager for application secret management.

Identify the key technical features of Secrets Manager, including automatic secret rotation and its integration with other AWS services.

Differentiate between AWS Secrets Manager and AWS Systems Manager Parameter Store, considering factors like cost and rotation capabilities.

Introduction to AWS Secrets Manager

AWS Secrets Manager offers a secure, centralized way to manage and rotate application secrets.

AWS Secrets Manager manages application secrets, including API keys, database passwords, and SSH keys. It can store anything representable as a key-value pair within a document.

Applications retrieve secrets by making API calls to Secrets Manager.

A key feature of Secrets Manager is automatic secret rotation, which enhances security posture and compliance. This allows credentials to be rotated securely without requiring modifications to application code.

Secrets Manager integrates with Amazon Relational Database Service (RDS) to provide secure credential storage and automatic rotation for RDS databases. RDS can generate master passwords, store them encrypted in Secrets Manager (using KMS keys), and IAM controls access to these credentials. Secrets Manager supports automatic credential rotation, with a default rotation period of every 7 days, which is flexible.

Technical Specs: Default credential rotation: every 7 days, flexible

AWS Secrets Manager vs. AWS Systems Manager Parameter Store

comparison-table

Choosing between Secrets Manager and Parameter Store depends on specific requirements, particularly concerning automatic rotation and cost.

Both services securely store configuration data and secrets, but they have distinct features that make them suitable for different use cases.

Option	Primary Purpose	Automatic Rotation	Cost Consideration	Exam Preference/Differentiator
AWS Secrets Manager	Securely store application secrets (credentials, API keys) with active management	Supported and is a key feature	Incurs costs (not free)	Preferred for managing secrets requiring automatic rotations and integrations.
AWS Systems Manager Parameter Store	Securely store configuration data, parameters, and secrets without hardcoding	Not supported	Free to use (for standard parameters)	Preferred when cost optimization is the primary focus and automatic rotation is not required.

Exam Tips

When facing a scenario that requires offloading credential/secrets management or performing automatic password rotations for managed services (like RDS, Aurora), AWS Secrets Manager is a strong indicator. (Source Page 9)

Secrets Manager is generally preferred for managing secrets, especially with integrations and rotation needs. (Source Page 9)

Choose Parameter Store over Secrets Manager when cost optimization is the primary focus, as Parameter Store is free. (Source Page 9)

Glossary

AWS Secrets Manager

A service that enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Automatic Secret Rotation

A key feature of AWS Secrets Manager that automatically updates credentials (e.g., database passwords) without modifying application code, enhancing security posture and compliance.

AWS Systems Manager Parameter Store

A secure, hierarchical storage for configuration data management and secrets, offering a free tier for standard parameters.

Key Takeaways

AWS Secrets Manager is designed for secure storage and, crucially, automatic rotation of application secrets like database credentials and API keys. (Source Page 4, 9)

Unlike Parameter Store, Secrets Manager provides built-in capabilities for automatic secret rotation, making it ideal for maintaining strong security and compliance, especially with services like RDS. (Source Page 9)