Skip to content

AWS Secrets Manager

Introduction

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Secrets Manager Overview

Key Features

  • Automatic rotation - Rotate secrets automatically
  • Fine-grained access - IAM policies for secret access
  • Encryption - KMS encryption at rest
  • Audit - CloudTrail integration
  • Cross-region replication - Disaster recovery
  • Versioning - Multiple secret versions

When to Use

Ideal Use Cases

  • Database credentials - RDS, Redshift, DocumentDB
  • API keys - Third-party service keys
  • SSH keys - Server access credentials
  • OAuth tokens - Application tokens
  • Application secrets - Configuration secrets
  • License keys - Software licenses

Signs Secrets Manager is Right for You

  • Need automatic credential rotation
  • Have database credentials to manage
  • Require audit trail for secret access
  • Need cross-region secret replication
  • Want centralized secret management

Secrets Manager vs Parameter Store

Feature Secrets Manager Parameter Store
Automatic rotation Yes No (manual only)
Cross-region replication Yes No
Database integration Native No
Cost $0.40/secret/month Free tier available
Max secret size 64 KB 8 KB (standard)
KMS encryption Always Optional (SecureString)
Versioning Built-in Limited

When to Use Each

  • Secrets Manager: Database creds, rotation needed, compliance
  • Parameter Store: Simple config, cost-sensitive, no rotation needed

Core Concepts

Secret

  • Name and value pair
  • Encrypted with KMS
  • Contains versions
  • Has metadata and tags

Secret Value

  • String or binary
  • Often JSON for structured data
  • Up to 64 KB

Rotation

  • Automatic credential rotation
  • Lambda function performs rotation
  • Supports major databases
  • Custom rotation for other secrets

Versions

Label Description
AWSCURRENT Current active version
AWSPENDING Version being rotated to
AWSPREVIOUS Previous version
Custom labels User-defined versions

What to Be Careful About

Security

  • IAM permissions - Least privilege access
  • KMS key access - Both secret and KMS permissions needed
  • Resource policies - Control cross-account access
  • VPC endpoints - Keep traffic private

Rotation

  • Lambda function - Needs network access to database
  • Multi-user rotation - For high availability
  • Rotation schedule - Don't rotate too frequently
  • Testing - Test rotation in non-prod first

Cost Management

  • Per secret charge - $0.40/secret/month
  • API calls - $0.05 per 10,000 calls
  • Caching - Cache secrets to reduce API calls
  • Consolidate secrets - JSON for related values

Integration

  • Application updates - Handle secret changes
  • Caching - Balance freshness vs API costs
  • Error handling - Handle rotation failures
  • Database connections - Reconnect after rotation

Automatic Rotation

Supported Databases

  • Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB)
  • Amazon Redshift
  • Amazon DocumentDB
  • Custom (via Lambda function)

Rotation Strategies

Strategy Description
Single user Rotate credentials for one user
Alternating users Switch between two users
Multi-user Use multiple users for high availability

Rotation Process

  1. Create new credentials (AWSPENDING)
  2. Set credentials in database
  3. Test new credentials
  4. Mark as current (AWSCURRENT)
  5. Previous version labeled AWSPREVIOUS

Retrieving Secrets

AWS SDK (Python)

import boto3
import json

def get_secret():
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId='my-secret')
    secret = json.loads(response['SecretString'])
    return secret

# Returns: {"username": "admin", "password": "secret123"}

AWS CLI

aws secretsmanager get-secret-value \
    --secret-id my-secret \
    --query SecretString \
    --output text

Environment Variables (ECS/Lambda)

# ECS Task Definition
secrets:
  - name: DB_PASSWORD
    valueFrom: arn:aws:secretsmanager:region:account:secret:my-secret

Common Interview Questions

  1. How does automatic rotation work?
  2. Secrets Manager invokes Lambda function
  3. Lambda creates new credentials in database
  4. Lambda updates secret with new value
  5. Secret staged as AWSPENDING, then AWSCURRENT

  6. Configurable rotation schedule (e.g., 30 days)

  7. What's the difference between Secrets Manager and Parameter Store?

  8. Secrets Manager: Automatic rotation, higher cost, database integration
  9. Parameter Store: Manual rotation, free tier, simpler use cases

  10. Both can store encrypted values with KMS

  11. How do you handle secrets in containers (ECS)?

  12. Reference secret ARN in task definition
  13. Secrets injected as environment variables
  14. Use IAM task role for permissions

  15. Secrets Manager resolved at container start

  16. How do you reduce Secrets Manager costs?

  17. Cache secrets in application
  18. Use AWS-provided caching libraries
  19. Consolidate related secrets into one JSON

  20. Use Parameter Store for simpler needs

  21. How do you ensure high availability during rotation?

  22. Use alternating users strategy
  23. Application can use either user
  24. No downtime during rotation
  25. Both users always have valid credentials

Caching Secrets

AWS Caching Libraries

  • Reduce API calls
  • Configurable cache TTL
  • Automatic refresh
  • Available for multiple languages
from aws_secretsmanager_caching import SecretCache

cache = SecretCache()
secret = cache.get_secret_string('my-secret')

Caching Considerations

  • TTL shorter than rotation period
  • Handle cache invalidation
  • Consider Lambda cold starts
  • Balance freshness vs cost

Cross-Region Replication

  • Replicate secrets to other regions
  • Disaster recovery
  • Regional access with lower latency
  • Automatic sync
client.replicate_secret_to_regions(
    SecretId='my-secret',
    AddReplicaRegions=[
        {'Region': 'eu-west-1', 'KmsKeyId': 'alias/my-key'}
    ]
)

Alternatives

AWS Alternatives

Service When to Use Instead
Parameter Store Simple config, no rotation needed
KMS Encryption keys only
IAM AWS API credentials

External Alternatives

Tool Description
HashiCorp Vault Multi-cloud secrets management
CyberArk Enterprise secrets management
Azure Key Vault Azure secrets service
Google Secret Manager GCP secrets service

Best Practices

  1. Use automatic rotation - Enable for all database credentials
  2. Use JSON format - Store related values together
  3. Implement caching - Reduce API calls and costs
  4. Use resource policies - Control cross-account access
  5. Enable CloudTrail - Audit secret access
  6. Use VPC endpoints - Keep traffic private
  7. Test rotation - Verify in non-prod environments
  8. Use alternating users - For database HA during rotation
  9. Set up alarms - Monitor rotation failures
  10. Tag secrets - Organize and manage access

Pricing

Component Cost
Per secret/month $0.40
Per 10,000 API calls $0.05

Example

  • 50 secrets, 1 million API calls/month
  • Secrets: 50 × $0.40 = $20
  • API calls: 100 × $0.05 = $5
  • Total: $25/month