Secrets Fundamentals

What is Secrets Manager?

AWS Secrets Manager is a fully managed service that helps you protect secrets needed to access your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Centralized Management: Store and manage all secrets in one place

Automatic Rotation: Built-in rotation for RDS, DocumentDB, Redshift

Encryption: All secrets encrypted at rest using AWS KMS

Key Features

Automatic Rotation

Built-in rotation for RDS, DocumentDB, and Redshift credentials with Lambda functions

Encryption

Secrets encrypted at rest using AWS KMS and in transit using TLS

Fine-grained Access

IAM policies and resource-based policies for granular access control

Monitoring

CloudTrail logging and CloudWatch metrics for audit and compliance

Database Credentials

RDS database passwords
DocumentDB credentials
Redshift cluster passwords
Aurora serverless credentials

API Keys & Tokens

Third-party API keys
OAuth tokens
JWT tokens
Service account keys

Certificates & Keys

SSL/TLS certificates
Private keys
SSH keys
Encryption keys

Configuration Data

Connection strings
Configuration parameters
Environment variables
Application settings

Secret Structure

// JSON Secret Format

                            {

                              "username": "admin",

                              "password": "mySecretPassword123",

                              "engine": "mysql",

                              "host": "mydb.cluster-xyz.us-east-1.rds.amazonaws.com",

                              "port": 3306,

                              "dbname": "myDatabase"

                            }

Secret Name: Unique identifier within region

Secret Value: The actual secret data (JSON or binary)

Version: Each secret can have multiple versions

Metadata: Description, tags, and configuration

Security

Use least privilege IAM policies
Enable automatic rotation when possible
Use customer-managed KMS keys
Implement proper secret naming

Operations

Use descriptive secret names
Tag secrets for organization
Monitor secret access with CloudTrail
Set up CloudWatch alarms

Development

Cache secrets appropriately
Handle rotation gracefully in code
Use SDK retry logic for API calls
Implement proper error handling

Exam Strategy Tip

Remember: Secrets Manager provides automatic rotation for RDS, DocumentDB, and Redshift. All secrets are encrypted with KMS, and the maximum secret size is 64KB. For cross-account access, use resource-based policies.

Back to Secrets Manager Topics Next: Secret Rotation