Security, Identity, and Compliance

AWS Secrets Manager

Focused AWS Solutions Architect Associate notes from the Security, Identity, and Compliance domain.

AWS Secrets Manager#

AWS Secrets Manager Overview#

  • Definition: AWS Secrets Manager is a managed service for securely storing, retrieving, and managing sensitive data such as database credentials, API keys, and other secrets. It simplifies secret lifecycle management with automated rotation and access control.
  • Key Features:
    • Stores secrets (e.g., passwords, tokens) encrypted with AWS KMS.
    • Supports automatic and custom secret rotation using Lambda functions.
    • Integrates with AWS services like RDS, Redshift, DocumentDB, Lambda, and IAM for secure access.
    • Provides fine-grained access control, auditing via CloudTrail, and cross-account sharing.
  • Use Cases: Secure database access, manage API keys, rotate credentials automatically, share secrets across accounts, comply with regulatory requirements.
  • Key Updates (2024–2025):
    • Enhanced Secret Rotation: Simplified Lambda templates for custom rotation (October 2024).
    • Cross-Account Secret Sharing: Improved policy-based sharing (March 2024).
    • FIPS 140-2 Compliance: Enhanced for AWS GovCloud (October 2024).
    • Integration with AWS Security Hub: Centralized secret misconfiguration findings (January 2025).

1. Secrets Manager Core Concepts#

Components#

  • Secret:
    • A stored piece of sensitive data (e.g., database credentials, API keys) encrypted with a KMS key.
    • Includes secret value, metadata (e.g., name, description), and optional tags.
    • Explanation: E.g., secret for RDS database credentials.
  • Secret Value:
    • The sensitive data itself, stored as a JSON string or binary.
    • Example: {“username”: “admin”, “password”: “mypassword123”}.
  • KMS Key:
    • Used to encrypt secrets; can be AWS-managed (aws/secretsmanager) or customer-managed (CMK).
    • Explanation: E.g., CMK for encrypting API key secret.
  • Rotation:
    • Process to update secret values (e.g., change passwords) automatically or via Lambda.
    • Supports RDS, Redshift, DocumentDB natively; custom rotation for other systems.
    • Explanation: E.g., rotate RDS password every 30 days.
  • Resource Policy:
    • JSON policy controlling access to a secret (e.g., secretsmanager:GetSecretValue).
    • Complements IAM policies for fine-grained control.
    • Explanation: E.g., policy allows Lambda to retrieve secret.
  • Versioning:
    • Secrets have versions (e.g., AWSCURRENT, AWSPREVIOUS) to manage updates.
    • Explanation: E.g., AWSPREVIOUS retains old password during rotation.

Key Concepts#

  • Secret Retrieval:
    • Applications retrieve secrets via API/CLI/SDK (GetSecretValue).
    • Cached in SDK to reduce API calls.
    • Explanation: E.g., Lambda retrieves RDS credentials at runtime.
  • Automatic Rotation:
    • AWS-managed rotation for supported databases (RDS, Redshift, DocumentDB).
    • Uses Lambda to update secret and database password.
    • Explanation: E.g., rotate Aurora MySQL password every 30 days.
  • Custom Rotation:
    • User-defined Lambda function for non-supported systems (e.g., custom API keys).
    • Enhanced templates for easier setup (new 2024).
    • Explanation: E.g., rotate internal API key with custom Lambda.
  • Cross-Account Sharing:
    • Share secrets with other AWS accounts using resource policies.
    • Improved policy controls (new 2024).
    • Explanation: E.g., share secret with dev account for testing.
  • Tagging:
    • Apply tags to secrets for organization and cost tracking.
    • Explanation: E.g., tag secret with “Project:App”.

Key Notes:#

  • Exam Relevance: Understand secrets, rotation, KMS integration, and cross-account sharing.
  • Mastery Tip: Compare Secrets Manager vs. Parameter Store vs. KMS for secret management.

2. Secrets Manager Performance Features#

Secrets Manager optimizes secret access and management.

Low Latency#

  • Purpose: Fast secret retrieval.
  • Features:
    • Secrets cached in AWS SDKs (e.g., boto3) to reduce API latency.
    • Regional endpoints for quick access.
  • Explanation: E.g., Lambda retrieves secret in <10 ms with caching.
  • Exam Tip: Highlight SDK caching for performance.

High Throughput#

  • Purpose: Handle high request volumes.
  • Features:
    • Scales to thousands of GetSecretValue calls per second.
    • Integrates with scalable services (e.g., Lambda, ECS).
  • Explanation: E.g., 1,000 Lambda invocations retrieve secrets concurrently.
  • Exam Tip: Use Secrets Manager for high-throughput apps.

Scalability#

  • Purpose: Support growing workloads.
  • Features:
    • No limit on secrets per account (subject to quotas).
    • Multi-account management via AWS Organizations.
  • Explanation: E.g., manage 1,000 secrets for a multi-tenant app.
  • Exam Tip: Highlight scalability for enterprise use.

Key Notes:#

  • Performance: Caching + high throughput + scalability = efficient secret management.
  • Exam Tip: Emphasize Secrets Manager for scalable, low-latency secret access.

3. Secrets Manager Resilience Features#

Resilience ensures reliable secret management.

Multi-AZ Redundancy#

  • Purpose: Survive AZ failures.
  • Features:
    • Secrets stored in Regional, multi-AZ infrastructure.
    • Highly available by default.
  • Explanation: E.g., secret retrieval continues if us-east-1a fails.
  • Exam Tip: Highlight multi-AZ for HA.

Rotation Reliability:#

  • Purpose: Ensure seamless credential updates.
  • Features:
    • Automatic rotation for supported databases with no downtime.
    • Versioning (AWSCURRENT, AWSPREVIOUS) prevents app disruption.
  • Explanation: E.g., rotate RDS password without breaking app connections.
  • Exam Tip: Use automatic rotation for resilience.

Monitoring and Recovery:#

  • Purpose: Detect and respond to issues.
  • Features:
    • CloudTrail logs API calls (e.g., GetSecretValue, RotateSecret).
    • Security Hub integration for misconfiguration findings (new 2025).
    • CloudWatch metrics for secret access and rotation errors.
    • Explanation: E.g., alarm on failed RotateSecret attempts.
  • Exam Tip: Use CloudTrail and Security Hub for resilience.

Cross-Region Replication:#

  • Purpose: Support multi-Region apps.
  • Features:
    • Manually replicate secrets across Regions (no native multi-Region secrets).
    • Explanation: E.g., copy secret to us-west-2 for DR.
  • Exam Tip: Know manual replication for multi-Region resilience.

Key Notes:#

  • Resilience: Multi-AZ + rotation + monitoring = reliable secret management.
  • Exam Tip: Design resilient secret access with rotation and CloudTrail.

4. Secrets Manager Security Features#

Security is the core focus of Secrets Manager for SAA-C03.

Access Control#

  • Resource Policy:
    • Controls access to secrets (secretsmanager:GetSecretValue, secretsmanager:RotateSecret).
    • Supports cross-account sharing.
    • Example: {“Effect”: “Allow”, “Principal”: {“AWS”: “arn:aws:iam::123456789012:role/LambdaRole”}, “Action”: “secretsmanager:GetSecretValue”, “Resource”: ”*”}.
  • IAM Policies:
    • Restrict user/role access to Secrets Manager APIs.
    • Combined with resource policies for fine-grained control.
    • Example: IAM policy allows secretsmanager:GetSecretValue for Lambda.
  • Cross-Account Sharing:
    • Share secrets with other accounts via resource policies (new 2024).
    • Explanation: E.g., grant dev account access to prod secret.
  • Exam Tip: Practice resource and IAM policies for access control.

Encryption#

  • In Transit:
    • HTTPS for API calls and secret retrieval.
    • Explanation: E.g., secure GetSecretValue call.
  • At Rest:
    • Secrets encrypted with KMS (AES-256).
    • Supports AWS-managed or customer-managed keys.
    • Explanation: E.g., CMK encrypts RDS credentials.
  • Exam Tip: Highlight KMS for compliance.

Rotation:#

  • Purpose: Reduce risk of credential compromise.
  • Features:
    • Automatic rotation for RDS, Redshift, DocumentDB.
    • Custom Lambda rotation for other systems.
    • Retains old versions for rollback.
  • Explanation: E.g., rotate API key every 7 days with Lambda.
  • Exam Tip: Know rotation for security best practices.

Auditing:#

  • Purpose: Track secret access and changes.
  • Features:
    • CloudTrail logs all API actions (e.g., GetSecretValue, RotateSecret).
    • Security Hub detects misconfigurations (e.g., overly permissive policies) (new 2025).
  • Explanation: E.g., audit unauthorized GetSecretValue attempts.
  • Exam Tip: Use CloudTrail for compliance auditing.

Compliance#

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., use Secrets Manager for HIPAA-compliant database credentials.

Key Notes:#

  • Security: KMS encryption + policies + rotation + auditing = robust protection.
  • Exam Tip: Configure rotation, policies, and KMS for secure secret management.

5. Secrets Manager Cost Optimization#

Cost efficiency is a key exam domain.

Pricing#

  • Secrets:
    • $0.40/secret/month (prorated).
  • API Requests:
    • $0.05/10,000 requests (e.g., GetSecretValue, RotateSecret).
  • KMS:
    • $1.00/CMK/month, $0.03/10,000 KMS requests (AWS-managed key free).
  • Example:
    • 10 secrets, 100,000 API requests, 1 CMK:
      • Secrets: 10 × $0.40 = $4.00/month.
      • Requests: 100K × $0.05/10K = $0.50/month.
      • KMS: $1.00 (CMK) + (100K × $0.03/10K) = $1.30/month.
      • Total: $4.00 + $0.50 + $1.30 = $5.80/month.
  • Free Tier: None.

Cost Strategies#

  • Minimize Secrets:
    • Consolidate secrets where possible (e.g., one secret for multiple RDS instances).
    • Explanation: E.g., use one secret for 3 databases to save $0.80/month.
  • Use AWS-Managed KMS Key:
    • Free for Secrets Manager encryption.
    • Explanation: E.g., avoid CMK to save $1.00/month.
  • Optimize API Requests:
    • Cache secrets in SDK to reduce GetSecretValue calls.
    • Explanation: E.g., cache in Lambda to save $0.05/10,000 calls.
  • Schedule Rotation:
    • Rotate secrets less frequently (e.g., every 90 days vs. 7 days) if compliant.
    • Explanation: E.g., reduce rotation calls to save $0.05/rotation.
  • Tagging:
    • Use cost allocation tags to track secret costs.
    • Explanation: E.g., tag secret with “Project:Security”.
  • Monitor Usage:
    • Use CloudTrail and CloudWatch to optimize secret access.
    • Explanation: E.g., delete unused secret to save $0.40/month.

Key Notes:#

  • Cost Savings: Consolidate secrets + AWS-managed KMS + caching = lower costs.
  • Exam Tip: Calculate costs for secrets, API requests, and KMS.

6. Secrets Manager Advanced Features#

Enhanced Secret Rotation:#

  • Purpose: Simplify rotation for complex systems.
  • Features:
    • New Lambda templates for custom rotation (e.g., API keys, OAuth tokens) (new 2024).
    • Supports multi-step rotation workflows.
  • Explanation: E.g., rotate custom API key with simplified Lambda.
  • Exam Tip: Know custom rotation for non-supported systems.

Cross-Account Sharing:#

  • Purpose: Secure multi-account access.
  • Features:
    • Resource policies allow sharing with other accounts (new 2024).
    • Fine-grained permissions for shared secrets.
  • Explanation: E.g., share prod secret with dev account for testing.
  • Exam Tip: Configure resource policies for cross-account.

Security Hub Integration:#

  • Purpose: Centralized security monitoring.
  • Features:
    • Detects misconfigured secrets (e.g., public access, no rotation) (new 2025).
    • Aggregates findings with GuardDuty, Macie.
  • Explanation: E.g., flag secret with overly permissive policy.
  • Exam Tip: Use Security Hub for compliance.

Database Integration:#

  • Purpose: Seamless credential management.
  • Features:
    • Native rotation for RDS, Redshift, DocumentDB.
    • Auto-updates database credentials during rotation.
  • Explanation: E.g., rotate Aurora PostgreSQL password without downtime.
  • Exam Tip: Know supported databases for rotation.

Lambda Triggers:#

  • Purpose: Automate secret workflows.
  • Features:
    • Lambda functions for rotation, validation, or notifications.
    • Explanation: E.g., Lambda notifies admin on rotation failure.
  • Exam Tip: Use Lambda for custom secret management.

Key Notes:#

  • Flexibility: Rotation + cross-account + Security Hub = advanced secret management.
  • Exam Tip: Know rotation templates, cross-account sharing, and Security Hub.

7. Secrets Manager Use Cases#

Understand practical applications.

Database Credential Management#

  • Setup: Secret for RDS credentials, automatic rotation.
  • Features: Secure storage, seamless rotation, IAM access.
  • Explanation: E.g., Lambda retrieves RDS secret for query execution.

API Key Management#

  • Setup: Secret for third-party API key, custom rotation.
  • Features: Encrypted storage, Lambda rotation.
  • Explanation: E.g., rotate Twilio API key every 7 days.

Cross-Account Access#

  • Setup: Share secret with another account via resource policy.
  • Features: Secure sharing, fine-grained permissions.
  • Explanation: E.g., share secret with partner account for collaboration.

Compliance Requirements#

  • Setup: Secrets with KMS, rotation, and CloudTrail auditing.
  • Features: HIPAA/PCI compliance, encrypted storage.
  • Explanation: E.g., manage PCI-compliant database credentials.

8. Secrets Manager vs. Other Services#

FeatureSecrets ManagerParameter StoreKMS
TypeSecret ManagementConfiguration ManagementKey Management
WorkloadCredentials, API keysConfig data, secretsEncryption, signing
RotationAutomatic, customManualKey rotation
Cost$0.40/secret, $0.05/10KFree (standard), $0.05/10K (advanced)$1/CMK, $0.03/10K
Use CaseDatabase passwordsApp configsS3 encryption

Explanation:#

  • Secrets Manager: Manages sensitive data with rotation.
  • Parameter Store: Stores configuration data, optional secrets.
  • KMS: Manages encryption keys, not secrets.

9. Detailed Explanations for Mastery#

  • Enhanced Rotation:
    • Example: Rotate custom OAuth token with new Lambda template.
    • Why It Matters: Simplifies complex rotation—new for 2024.
  • Cross-Account Sharing:
    • Example: Share RDS secret with dev account via resource policy.
    • Why It Matters: Enables multi-account workflows—new for 2024.
  • Security Hub Integration:
    • Example: Flag secret with no rotation enabled.
    • Why It Matters: Centralized compliance—new for 2025.

10. Quick Reference Table#

FeaturePurposeKey DetailExam Relevance
SecretStore sensitive dataEncrypted with KMS, versionedCore Concept
RotationUpdate credentialsAutomatic (RDS), custom (Lambda)Core Concept
Resource PolicyAccess controlCross-account sharing (2024)Core Concept
KMS IntegrationEncryptionAWS-managed or CMKSecurity
Security HubMisconfiguration detectionCentralized findings (2025)Security, Resilience
Cross-Account SharingMulti-account accessResource policy-based (2024)Flexibility
CloudTrailAuditingLogs API callsSecurity, Resilience

Found an issue? Improve this note in the GitHub repo.