Ref: https://learn.cantrill.io/courses/1820301/lectures/41301513
Secrets Manager Overview
- 🔧 Manage and store secrets within AWS
- 💡 Secrets = passwords, API keys…
- Usable via console, CLI, API, or SDKs (integration)
- Designed architecturally to be integrated inside apps
- e.g. app uses SDK to fetch and store secrets
- Encryption at rest with KMS → Secrets kept safe
- KMS ensures role separation
- No risk of secrets leakage if malicious access to AWS HW
- Supports automatic rotation of secrets
- Uses Lambda → invoked periodically to update secrets
- Direct integration with some AWS products, most common example: RDS
- RDS authentication updated automatically to use most recent secrets → RDS authentication synchronized automatically
- ‼️ It does share functionality with SSM Parameter Store!!
- Parameter Store can store secure strings, but it can also store other stuff (plaintext strings, string lists, app configurations…)
- Secrets Manager is specifically designed for secrets → has extra functionality for secrets (SDK, automatic rotation, direct integration with some AWS products like RDS…)
- 💡 For exam purposes, do keyword search in questions: if mentioning rotation of secrets, or keeping RDS in sync with secrets, most likely Secrets Manager is correct. If you need to store secrets and/or anything that's not secrets (e.g. config variables) then that's probably SSM Parameter Store.
Secrets Manager Architecture
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/2000-SECURITY_DEPLOYMENTS_OPERATIONS/00_LEARNINGAIDS/SecretsManager-1.png
- IAM authorizes (policy) app to access Secrets Manager
- Lambda function that updates secrets requires permissions to access Secrets Manager in its execution role
- If supported products like RDS are used, Lambda function can keep them in sync
- Requires permissions to access RDS in its execution role
- As long as app keeps checking in with Secrets Manager, it will always have access to latest secrets
