Skip to content

AWS Secrets Manager

AWS Secrets Manager Overview

  • Definition: AWS Secrets Manager is a managed service for securely storing, retrieving, and managing sensitive data such as database credentials, API keys, and other secrets. It simplifies secret lifecycle management with automated rotation and access control.
  • Key Features:
    • Stores secrets (e.g., passwords, tokens) encrypted with AWS KMS.
    • Supports automatic and custom secret rotation using Lambda functions.
    • Integrates with AWS services like RDS, Redshift, DocumentDB, Lambda, and IAM for secure access.
    • Provides fine-grained access control, auditing via CloudTrail, and cross-account sharing.
  • Use Cases: Secure database access, manage API keys, rotate credentials automatically, share secrets across accounts, comply with regulatory requirements.
  • Key Updates (2024–2025):
    • Enhanced Secret Rotation: Simplified Lambda templates for custom rotation (October 2024).
    • Cross-Account Secret Sharing: Improved policy-based sharing (March 2024).
    • FIPS 140-2 Compliance: Enhanced for AWS GovCloud (October 2024).
    • Integration with AWS Security Hub: Centralized secret misconfiguration findings (January 2025).

1. Secrets Manager Core Concepts

Components

  • Secret:
    • A stored piece of sensitive data (e.g., database credentials, API keys) encrypted with a KMS key.
    • Includes secret value, metadata (e.g., name, description), and optional tags.
    • Explanation: E.g., secret for RDS database credentials.
  • Secret Value:
    • The sensitive data itself, stored as a JSON string or binary.
    • Example: {"username": "admin", "password": "mypassword123"}.
  • KMS Key:
    • Used to encrypt secrets; can be AWS-managed (aws/secretsmanager) or customer-managed (CMK).
    • Explanation: E.g., CMK for encrypting API key secret.
  • Rotation:
    • Process to update secret values (e.g., change passwords) automatically or via Lambda.
    • Supports RDS, Redshift, DocumentDB natively; custom rotation for other systems.
    • Explanation: E.g., rotate RDS password every 30 days.
  • Resource Policy:
    • JSON policy controlling access to a secret (e.g., secretsmanager:GetSecretValue).
    • Complements IAM policies for fine-grained control.
    • Explanation: E.g., policy allows Lambda to retrieve secret.
  • Versioning:
    • Secrets have versions (e.g., AWSCURRENT, AWSPREVIOUS) to manage updates.
    • Explanation: E.g., AWSPREVIOUS retains old password during rotation.

Key Concepts

  • Secret Retrieval:
    • Applications retrieve secrets via API/CLI/SDK (GetSecretValue).
    • Cached in SDK to reduce API calls.
    • Explanation: E.g., Lambda retrieves RDS credentials at runtime.
  • Automatic Rotation:
    • AWS-managed rotation for supported databases (RDS, Redshift, DocumentDB).
    • Uses Lambda to update secret and database password.
    • Explanation: E.g., rotate Aurora MySQL password every 30 days.
  • Custom Rotation:
    • User-defined Lambda function for non-supported systems (e.g., custom API keys).
    • Enhanced templates for easier setup (new 2024).
    • Explanation: E.g., rotate internal API key with custom Lambda.
  • Cross-Account Sharing:
    • Share secrets with other AWS accounts using resource policies.
    • Improved policy controls (new 2024).
    • Explanation: E.g., share secret with dev account for testing.
  • Tagging:
    • Apply tags to secrets for organization and cost tracking.
    • Explanation: E.g., tag secret with “Project:App”.

Key Notes:

  • Exam Relevance: Understand secrets, rotation, KMS integration, and cross-account sharing.
  • Mastery Tip: Compare Secrets Manager vs. Parameter Store vs. KMS for secret management.

2. Secrets Manager Performance Features

Secrets Manager optimizes secret access and management.

Low Latency

  • Purpose: Fast secret retrieval.
  • Features:
    • Secrets cached in AWS SDKs (e.g., boto3) to reduce API latency.
    • Regional endpoints for quick access.
  • Explanation: E.g., Lambda retrieves secret in <10 ms with caching.
  • Exam Tip: Highlight SDK caching for performance.

High Throughput

  • Purpose: Handle high request volumes.
  • Features:
    • Scales to thousands of GetSecretValue calls per second.
    • Integrates with scalable services (e.g., Lambda, ECS).
  • Explanation: E.g., 1,000 Lambda invocations retrieve secrets concurrently.
  • Exam Tip: Use Secrets Manager for high-throughput apps.

Scalability

  • Purpose: Support growing workloads.
  • Features:
    • No limit on secrets per account (subject to quotas).
    • Multi-account management via AWS Organizations.
  • Explanation: E.g., manage 1,000 secrets for a multi-tenant app.
  • Exam Tip: Highlight scalability for enterprise use.

Key Notes:

  • Performance: Caching + high throughput + scalability = efficient secret management.
  • Exam Tip: Emphasize Secrets Manager for scalable, low-latency secret access.

3. Secrets Manager Resilience Features

Resilience ensures reliable secret management.

Multi-AZ Redundancy

  • Purpose: Survive AZ failures.
  • Features:
    • Secrets stored in Regional, multi-AZ infrastructure.
    • Highly available by default.
  • Explanation: E.g., secret retrieval continues if us-east-1a fails.
  • Exam Tip: Highlight multi-AZ for HA.

Rotation Reliability:

  • Purpose: Ensure seamless credential updates.
  • Features:
    • Automatic rotation for supported databases with no downtime.
    • Versioning (AWSCURRENT, AWSPREVIOUS) prevents app disruption.
  • Explanation: E.g., rotate RDS password without breaking app connections.
  • Exam Tip: Use automatic rotation for resilience.

Monitoring and Recovery:

  • Purpose: Detect and respond to issues.
  • Features:
    • CloudTrail logs API calls (e.g., GetSecretValue, RotateSecret).
    • Security Hub integration for misconfiguration findings (new 2025).
    • CloudWatch metrics for secret access and rotation errors.
    • Explanation: E.g., alarm on failed RotateSecret attempts.
  • Exam Tip: Use CloudTrail and Security Hub for resilience.

Cross-Region Replication:

  • Purpose: Support multi-Region apps.
  • Features:
    • Manually replicate secrets across Regions (no native multi-Region secrets).
    • Explanation: E.g., copy secret to us-west-2 for DR.
  • Exam Tip: Know manual replication for multi-Region resilience.

Key Notes:

  • Resilience: Multi-AZ + rotation + monitoring = reliable secret management.
  • Exam Tip: Design resilient secret access with rotation and CloudTrail.

4. Secrets Manager Security Features

Security is the core focus of Secrets Manager for SAA-C03.

Access Control

  • Resource Policy:
    • Controls access to secrets (secretsmanager:GetSecretValue, secretsmanager:RotateSecret).
    • Supports cross-account sharing.
    • Example: {"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:role/LambdaRole"}, "Action": "secretsmanager:GetSecretValue", "Resource": "*"}.
  • IAM Policies:
    • Restrict user/role access to Secrets Manager APIs.
    • Combined with resource policies for fine-grained control.
    • Example: IAM policy allows secretsmanager:GetSecretValue for Lambda.
  • Cross-Account Sharing:
    • Share secrets with other accounts via resource policies (new 2024).
    • Explanation: E.g., grant dev account access to prod secret.
  • Exam Tip: Practice resource and IAM policies for access control.

Encryption

  • In Transit:
    • HTTPS for API calls and secret retrieval.
    • Explanation: E.g., secure GetSecretValue call.
  • At Rest:
    • Secrets encrypted with KMS (AES-256).
    • Supports AWS-managed or customer-managed keys.
    • Explanation: E.g., CMK encrypts RDS credentials.
  • Exam Tip: Highlight KMS for compliance.

Rotation:

  • Purpose: Reduce risk of credential compromise.
  • Features:
    • Automatic rotation for RDS, Redshift, DocumentDB.
    • Custom Lambda rotation for other systems.
    • Retains old versions for rollback.
  • Explanation: E.g., rotate API key every 7 days with Lambda.
  • Exam Tip: Know rotation for security best practices.

Auditing:

  • Purpose: Track secret access and changes.
  • Features:
    • CloudTrail logs all API actions (e.g., GetSecretValue, RotateSecret).
    • Security Hub detects misconfigurations (e.g., overly permissive policies) (new 2025).
  • Explanation: E.g., audit unauthorized GetSecretValue attempts.
  • Exam Tip: Use CloudTrail for compliance auditing.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., use Secrets Manager for HIPAA-compliant database credentials.

Key Notes:

  • Security: KMS encryption + policies + rotation + auditing = robust protection.
  • Exam Tip: Configure rotation, policies, and KMS for secure secret management.

5. Secrets Manager Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • Secrets:
    • $0.40/secret/month (prorated).
  • API Requests:
    • $0.05/10,000 requests (e.g., GetSecretValue, RotateSecret).
  • KMS:
    • $1.00/CMK/month, $0.03/10,000 KMS requests (AWS-managed key free).
  • Example:
    • 10 secrets, 100,000 API requests, 1 CMK:
      • Secrets: 10 × $0.40 = $4.00/month.
      • Requests: 100K × $0.05/10K = $0.50/month.
      • KMS: $1.00 (CMK) + (100K × $0.03/10K) = $1.30/month.
      • Total: $4.00 + $0.50 + $1.30 = $5.80/month.
  • Free Tier: None.

Cost Strategies

  • Minimize Secrets:
    • Consolidate secrets where possible (e.g., one secret for multiple RDS instances).
    • Explanation: E.g., use one secret for 3 databases to save $0.80/month.
  • Use AWS-Managed KMS Key:
    • Free for Secrets Manager encryption.
    • Explanation: E.g., avoid CMK to save $1.00/month.
  • Optimize API Requests:
    • Cache secrets in SDK to reduce GetSecretValue calls.
    • Explanation: E.g., cache in Lambda to save $0.05/10,000 calls.
  • Schedule Rotation:
    • Rotate secrets less frequently (e.g., every 90 days vs. 7 days) if compliant.
    • Explanation: E.g., reduce rotation calls to save $0.05/rotation.
  • Tagging:
    • Use cost allocation tags to track secret costs.
    • Explanation: E.g., tag secret with “Project:Security”.
  • Monitor Usage:
    • Use CloudTrail and CloudWatch to optimize secret access.
    • Explanation: E.g., delete unused secret to save $0.40/month.

Key Notes:

  • Cost Savings: Consolidate secrets + AWS-managed KMS + caching = lower costs.
  • Exam Tip: Calculate costs for secrets, API requests, and KMS.

6. Secrets Manager Advanced Features

Enhanced Secret Rotation:

  • Purpose: Simplify rotation for complex systems.
  • Features:
    • New Lambda templates for custom rotation (e.g., API keys, OAuth tokens) (new 2024).
    • Supports multi-step rotation workflows.
  • Explanation: E.g., rotate custom API key with simplified Lambda.
  • Exam Tip: Know custom rotation for non-supported systems.

Cross-Account Sharing:

  • Purpose: Secure multi-account access.
  • Features:
    • Resource policies allow sharing with other accounts (new 2024).
    • Fine-grained permissions for shared secrets.
  • Explanation: E.g., share prod secret with dev account for testing.
  • Exam Tip: Configure resource policies for cross-account.

Security Hub Integration:

  • Purpose: Centralized security monitoring.
  • Features:
    • Detects misconfigured secrets (e.g., public access, no rotation) (new 2025).
    • Aggregates findings with GuardDuty, Macie.
  • Explanation: E.g., flag secret with overly permissive policy.
  • Exam Tip: Use Security Hub for compliance.

Database Integration:

  • Purpose: Seamless credential management.
  • Features:
    • Native rotation for RDS, Redshift, DocumentDB.
    • Auto-updates database credentials during rotation.
  • Explanation: E.g., rotate Aurora PostgreSQL password without downtime.
  • Exam Tip: Know supported databases for rotation.

Lambda Triggers:

  • Purpose: Automate secret workflows.
  • Features:
    • Lambda functions for rotation, validation, or notifications.
    • Explanation: E.g., Lambda notifies admin on rotation failure.
  • Exam Tip: Use Lambda for custom secret management.

Key Notes:

  • Flexibility: Rotation + cross-account + Security Hub = advanced secret management.
  • Exam Tip: Know rotation templates, cross-account sharing, and Security Hub.

7. Secrets Manager Use Cases

Understand practical applications.

Database Credential Management

  • Setup: Secret for RDS credentials, automatic rotation.
  • Features: Secure storage, seamless rotation, IAM access.
  • Explanation: E.g., Lambda retrieves RDS secret for query execution.

API Key Management

  • Setup: Secret for third-party API key, custom rotation.
  • Features: Encrypted storage, Lambda rotation.
  • Explanation: E.g., rotate Twilio API key every 7 days.

Cross-Account Access

  • Setup: Share secret with another account via resource policy.
  • Features: Secure sharing, fine-grained permissions.
  • Explanation: E.g., share secret with partner account for collaboration.

Compliance Requirements

  • Setup: Secrets with KMS, rotation, and CloudTrail auditing.
  • Features: HIPAA/PCI compliance, encrypted storage.
  • Explanation: E.g., manage PCI-compliant database credentials.

8. Secrets Manager vs. Other Services

Feature Secrets Manager Parameter Store KMS
Type Secret Management Configuration Management Key Management
Workload Credentials, API keys Config data, secrets Encryption, signing
Rotation Automatic, custom Manual Key rotation
Cost $0.40/secret, $0.05/10K Free (standard), $0.05/10K (advanced) $1/CMK, $0.03/10K
Use Case Database passwords App configs S3 encryption

Explanation:

  • Secrets Manager: Manages sensitive data with rotation.
  • Parameter Store: Stores configuration data, optional secrets.
  • KMS: Manages encryption keys, not secrets.

9. Detailed Explanations for Mastery

  • Enhanced Rotation:
    • Example: Rotate custom OAuth token with new Lambda template.
    • Why It Matters: Simplifies complex rotation—new for 2024.
  • Cross-Account Sharing:
    • Example: Share RDS secret with dev account via resource policy.
    • Why It Matters: Enables multi-account workflows—new for 2024.
  • Security Hub Integration:
    • Example: Flag secret with no rotation enabled.
    • Why It Matters: Centralized compliance—new for 2025.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
Secret Store sensitive data Encrypted with KMS, versioned Core Concept
Rotation Update credentials Automatic (RDS), custom (Lambda) Core Concept
Resource Policy Access control Cross-account sharing (2024) Core Concept
KMS Integration Encryption AWS-managed or CMK Security
Security Hub Misconfiguration detection Centralized findings (2025) Security, Resilience
Cross-Account Sharing Multi-account access Resource policy-based (2024) Flexibility
CloudTrail Auditing Logs API calls Security, Resilience