Ref: https://learn.cantrill.io/courses/1820301/lectures/41301513

• Summary:
• Contents:

Secrets Manager Overview

• 🔧 Manage and store secrets within AWS
  • 💡 Secrets = passwords, API keys…
• Usable via console, CLI, API, or SDKs (integration)
  • Designed architecturally to be integrated inside apps
    • e.g. app uses SDK to fetch and store secrets
• Encryption at rest with KMS → Secrets kept safe
  • KMS ensures role separation
  • No risk of secrets leakage if malicious access to AWS HW
• Supports automatic rotation of secrets
  • Uses Lambda → invoked periodically to update secrets
• Direct integration with some AWS products, most common example: RDS
  • RDS authentication updated automatically to use most recent secrets → RDS authentication synchronized automatically
• ‼️ It does share functionality with SSM Parameter Store!!
  • Parameter Store can store secure strings, but it can also store other stuff (plaintext strings, string lists, app configurations…)
  • Secrets Manager is specifically designed for secrets → has extra functionality for secrets (SDK, automatic rotation, direct integration with some AWS products like RDS…)
  • 💡 For exam purposes, do keyword search in questions: if mentioning rotation of secrets, or keeping RDS in sync with secrets, most likely Secrets Manager is correct. If you need to store secrets and/or anything that's not secrets (e.g. config variables) then that's probably SSM Parameter Store.

Secrets Manager Architecture

• IAM authorizes (policy) app to access Secrets Manager
• Lambda function that updates secrets requires permissions to access Secrets Manager in its execution role
• If supported products like RDS are used, Lambda function can keep them in sync
  • Requires permissions to access RDS in its execution role
• As long as app keeps checking in with Secrets Manager, it will always have access to latest secrets