AWS Secrets Manager (SM) - Overview.
Focus:
- Intro,
- Key Features,
- Secret Types & Formats,
- Pricing & Limits,
- The concept of AWS Secrets Manager (deep dive),
- AWS Secrets Manager (SM) integration,
- Table for Secrets Manager vs SSM Parameter Store,
- How Secrets Are Stored & secured with a policy (encrypted JSON blob in a managed service),
- Secret Rotation
- Secret Rotation Rotation process,
- Sample deployment of AWS Secrets Manager (SM) with automatic rotation: AWS CLIm
- Secret Rotation
- Access Control & Security (control layers),
- sample IAM policy for Access Control & Security,
- Sample Resource Policy for cross-account access,
- Monitoring & Auditing purpose,
- Best Practices,
- Advanced Patterns,
- Cost Optimization.
Intro:
- AWS Secrets Manager is a fully managed service that allows twtech to store, manage, and retrieve sensitive information like:
- database credentials,
- API keys,
- other secrets.
- AWS Secrets Manage replaces the insecure practice of hardcoding credentials in application code.
- Automatic Secret Rotation: It can automatically rotate secrets for supported AWS services like:
- Amazon RDS,
- Redshift,
- DocumentDB without requiring application downtime.
- Encryption at Rest: Secrets are encrypted using AWS Key Management Service (KMS) keys.
- Programmatic Retrieval: Applications can use the AWS SDK or AWS CLI to fetch secrets at runtime.
- Fine-Grained Access Control: Access is managed through AWS Identity and Access Management (IAM) policies and resource-based policies.
- Auditing and Monitoring: Integration with AWS CloudTrail logs every API call for compliance and security auditing.
- Multi-Region Replication: Secrets can be replicated across different AWS Regions to support disaster recovery and global applications.
- Key-Value Pairs: Often stored as JSON objects for structured management.
- Plaintext: Suitable for simple strings or binary data.
- Database Credentials: Native support for various database types, allowing for automated rotation.
- Cost: Typically $0.40 per secret per month, plus $0.05 per 10,000 API calls.
- Version History: Secrets Manager maintains a history of secret versions, allowing for rollback if needed.
Architecture
1. The concept of AWS Secrets Manager (deep dive).
- AWS Secrets Manager (SM) is a fully managed service for securely storing, retrieving, and rotating secrets, such as:
- Database credentials
- API keys
- OAuth tokens
- SSH keys
- Any arbitrary key-value pairs
AWS Secrets Manager (SM)
integration:
- AWS IAM (for access control)
- AWS KMS (for encryption at rest)
- AWS Lambda (for custom rotation)
- AWS CloudFormation / CDK / Terraform (for automation)
2. Table for Secrets Manager vs SSM Parameter Store
|
Feature |
Secrets
Manager |
SSM
Parameter Store |
|
Designed
for |
Secrets / credentials. |
Config values |
|
Automatic
rotation |
✅ Yes (via Lambda). |
❌ No (manual or custom) |
|
Cross-account
access |
✅ Supported via
Resource Policies. |
✅ Supported via
KMS + IAM |
|
Native
database integration |
✅ RDS, Redshift,
DocumentDB. |
❌ No |
|
Versioning |
✅ |
✅ |
|
Cost |
~$0.40 per secret/month + API calls. |
Free for Standard, paid for Advanced |
|
Encryption |
KMS-managed. |
KMS-managed |
NB (Rule of thumb):
- Use Secrets Manager for sensitive credentials that need rotation or auditing,
- Use Parameter Store for non-secret configurations.
3. How Secrets Are Stored & secured with a policy (encrypted JSON blob in a managed service):
# json
{
"username": "twtechadmin",
"password": "twtechpassword-S3cr3tP@ss",
"engine": "mysql",
"host": "twtechdb.cluster-abc123.us-east-2.rds.amazonaws.com",
"port": 3306
}
AWS Secrets Manager (SM) Encryption
- Every secret is encrypted with AWS KMS CMK.
- twtech can use the default AWS-managed key (aws/secretsmanager) or a customer-managed key (CMK).
- Access to the secret requires both:
- IAM permission to the secret itself,
- IAM/KMS permission to use the encryption key.
4. Secret Rotation
Secrets Manager can automatically rotate secrets using AWS Lambda.
- Built-in rotation templates (RDS,
Aurora, Redshift, DocumentDB)
- Custom rotation Lambdas (for
external APIs, on-prem apps, etc.)
Secret Rotation Rotation
process
- Secrets Manager calls the rotation
Lambda.
- Lambda creates a new secret and updates the target resource (e.g., RDS password).
- Lambda marks the new secret version as current.
- Optionally, old versions can be retained or deleted after a grace period.
Sample deployment of AWS Secrets Manager (SM) with automatic rotation: AWS CLI
# bash
aws secretsmanager rotate-secret \
--secret-id twtechDatabaseSecret \
--rotation-lambda-arn arn:aws:lambda:us-east-2:accountID:function:RotateRDSSecret \
--rotation-rules AutomaticallyAfterDays=30
5. Access Control & Security (control layers):
- IAM policies – Defines who can access or modify secrets
- Resource policies – cross-account or service-based access
- KMS policies – encryption key access
- Encryption in transit – enforced via TLS
twtech sample IAM policy for Access Control & Security:
# json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue"],
"Resource": "arn:aws:secretsmanager:us-east-2:accountID:secret:prod/twtechdbpassword/*"
}]
}
twtech sample
Resource Policy for cross-account access:
# json
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "twtechCrossAccountAccess",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::accountID:role/twtechCrossAccountAppRole"},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}]
}
6.
Monitoring & Auditing purpose
|
Integration |
Purpose |
|
CloudTrail |
Logs all secret retrieval, creation,
update, and rotation events |
|
CloudWatch Logs |
For Lambda rotation logs |
|
CloudWatch Alarms |
Notify on rotation or access
failures |
|
AWS Config |
Detect unrotated or unencrypted
secrets |
7. Sample Config rule for secretsmanager-scheduled-rotation-success-check
# twtechCloudFormationSample.yaml
Resources:
MyDatabaseSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: /prod/db/twtechprodpassword
Description: "twtech Database credentials
for production environment"
KmsKeyId: arn:aws:kms:us-east-2:accountID:key/twtechkmskey-abcd1234...
SecretString: !Sub |
{
"username":
"twtechAdmin",
"password":
"${RandomPassword}"
}
RandomPassword:
Type: AWS::SecretsManager::RandomPassword
Properties:
PasswordLength: 16
ExcludeCharacters: '"@/\\'
8. Best Practices
✅ Use customer-managed KMS keys for fine-grained control.
✅ Rotate secrets automatically every 30–60 days.
✅ Avoid embedding secrets directly in Lambda environment variables.
✅ Enable CloudTrail & AWS Config for auditing.
✅ Use naming conventions like /env/service/component/twtechsecretName.
✅ Use least privilege IAM policies with granular resource ARNs.
✅ Leverage cross-account access carefully (use Resource Policies + KMS grants).
9. Advanced Patterns
Cross-account Secrets Access
- Use resource-based policies on the
secret.
- Grant KMS decrypt permission to the consuming account.
- Ideal for centralized secrets management in a shared services account.
Dynamic secret generation
- Lambda rotation can dynamically generate
credentials in external systems.
- Example: rotate an API key in GitHub or HashiCorp Vault.
Secrets caching
Use the AWS Secrets Manager caching library to reduce API calls:
from aws_secretsmanager_caching import SecretCache, SecretCacheConfig
cache = SecretCache(config=SecretCacheConfig())
secret = cache.get_secret_string('prod/db/twtecchprodpassword')
10. Cost Optimization
- Each secret: ~$0.40/month
- Each 10K API calls: ~$0.05
- Rotation adds Lambda cost
No comments:
Post a Comment