Skip to content

AWS Secrets Manager

What Is This Service?

Managed AWS secrets lifecycle service for storing, retrieving, rotating, and auditing secrets.

Mental model:

Secrets Manager = Store → Encrypt → Retrieve → Rotate → Audit

Primary purpose:

Securely manage application secrets and credentials without embedding them in code, images, configuration files, or infrastructure.

Typical secrets:

  • database credentials
  • API keys
  • OAuth tokens
  • application secrets
  • service credentials
  • third-party tokens
  • private certificates
  • SSH credentials

Why It Matters for Security

Hardcoded credentials are one of the most common cloud security failures.

Secrets Manager exists to:

  • eliminate embedded secrets
  • automate credential rotation
  • reduce credential lifetime
  • centralize secret governance
  • improve auditability
  • reduce blast radius

Security outcomes:

  • lower credential exposure
  • stronger least privilege
  • automatic credential hygiene
  • improved compliance

MOST TESTED:

Secrets Manager protects confidential credentials, not general configuration.

Architecture Example

Secure Application Secrets Pattern

flowchart LR

App[Application]

IAM[IAM Role]

SM[Secrets Manager]

KMS[KMS CMK]

RDS[RDS]

CloudTrail[CloudTrail]

App --> IAM

IAM --> SM

SM --> KMS

SM --> RDS

SM --> CloudTrail

Architecture goals:

  • no hardcoded credentials
  • encrypted storage
  • temporary retrieval
  • centralized audit trail

Workflow(s)

Secret Retrieval Flow

sequenceDiagram

participant App
participant IAM
participant SecretsManager
participant KMS

App->>IAM: Assume role

IAM->>SecretsManager: GetSecretValue

SecretsManager->>KMS: Decrypt

KMS->>SecretsManager: Plaintext

SecretsManager->>App: Secret returned

Automatic Rotation Workflow

sequenceDiagram

participant Scheduler
participant SecretsManager
participant Lambda
participant Database
participant App

Scheduler->>SecretsManager: Rotation event

SecretsManager->>Lambda: Invoke

Lambda->>Database: Create new credential

Database->>Lambda: Success

Lambda->>SecretsManager: Update versions

App->>SecretsManager: Retrieve latest

Cross-Account Access Flow

sequenceDiagram

participant Consumer
participant IAM
participant Secret
participant KMS

Consumer->>IAM: Assume role

IAM->>Secret: Request access

Secret->>KMS: Decrypt permission

KMS->>Consumer: Secret available

Core Concepts

Secret

A secret contains:

  • secret value
  • metadata
  • encryption settings
  • versions
  • tags

Secret value formats:

  • string
  • JSON

Example:

{
  "username":"admin",
  "password":"example"
}

Encryption

MOST TESTED

Secrets are encrypted at rest.

Supported:

  • AWS managed KMS key
  • Customer managed KMS key (CMK)

Encryption process:

Store
↓
Encrypt
↓
Persist
↓
Retrieve
↓
Decrypt

Benefits of CMK:

  • key policies
  • rotation control
  • cross-account control
  • audit requirements

Exam trap:

Secrets Manager does not perform encryption itself.

KMS performs encryption.

Secret Versions

Secrets support versions.

Version labels:

  • AWSCURRENT
  • AWSPENDING
  • AWSPREVIOUS

Purpose:

Enable safe rotation.

Example:

Current → Production

Pending → Rotation

Previous → Rollback

MASSIVE EXAM TRAP:

Version stages are labels.

Not independent copies.

Secret Rotation

MOST TESTED

Rotation methods:

  • automatic
  • manual

Typical implementation:

Secrets Manager + Lambda

Supported native rotation examples:

  • RDS
  • Aurora
  • DocumentDB
  • Redshift

Process:

  1. Create credential
  2. Test credential
  3. Promote credential
  4. Retire previous

Benefits:

  • shorter credential lifespan
  • reduced exposure

Rotation Strategies

Single-user rotation:

Old password
↓
Update
↓
Applications reconnect

Fast.

Potential interruption.

Alternating-user rotation:

User A active
↓
Rotate User B
↓
Switch
↓
Rotate User A

Lower disruption.

Higher complexity.

MOST TESTED:

Alternating-user preferred for production databases.

Retrieval Methods

Applications retrieve secrets through:

  • SDK
  • CLI
  • API
  • ECS integration
  • Lambda integration
  • EKS integration

Exam trap:

Applications should retrieve at runtime.

Avoid environment variable persistence.

Important Integrations

Service Purpose
AWS KMS Encryption
IAM Authorization
RDS Native rotation
Lambda Rotation
CloudTrail Audit
ECS Runtime injection
EKS Kubernetes secrets
API Gateway Backend auth
EventBridge Automation
Organizations Governance
CloudFormation IaC
Parameter Store Comparison

Security Features

Automatic Rotation

Shortens credential lifetime.

Benefits:

  • limits exposure
  • improves compliance

Auditability

CloudTrail records:

  • GetSecretValue
  • CreateSecret
  • RotateSecret
  • UpdateSecret

Exam trap:

CloudTrail records API activity.

Not plaintext values.

Fine-Grained Authorization

Controlled through:

  • IAM policies
  • resource policies
  • KMS policies

Examples:

Allow GetSecretValue

Deny DeleteSecret

Secret Resource Policies

HIGH VALUE

Secrets support resource policies.

Used for:

  • cross-account access
  • service access

Example:

Account A
↓
Resource Policy
↓
Account B reads secret

Cross-Account Access

Requires:

  • secret policy
  • IAM permissions
  • KMS permissions

MASSIVE EXAM TRAP:

Cross-account access often fails because:

KMS permissions missing.

Advanced Security and Operational Concepts

Control Plane vs Data Plane

Control Plane:

  • create secret
  • rotate
  • update metadata
  • manage access

Data Plane:

  • GetSecretValue
  • decrypt
  • return plaintext

Exam trap:

Frequent retrieval generates API usage.

Secrets Manager vs Systems Manager Parameter Store

MOST TESTED

Capability Secrets Manager Parameter Store
Secret rotation Native Limited
Secret lifecycle Advanced Basic
Cross-account Yes More limited
Pricing Higher Lower
Password rotation Yes No
Secret versions Advanced Basic

Rule:

Need rotation → Secrets Manager

Need configuration → Parameter Store

Secrets Manager vs KMS

MASSIVE EXAM TRAP

Capability Secrets Manager KMS
Store secrets Yes
Encrypt Uses KMS Yes
Rotation Yes Keys only
Secret lifecycle Yes No

Rule:

KMS protects keys.

Secrets Manager protects secrets.

Secrets Manager vs IAM Roles

Capability Secrets Manager IAM Roles
AWS credentials Avoid Preferred
External credentials Yes No
Temporary Optional Yes

Rule:

AWS service access → IAM Roles

External credentials → Secrets Manager

Caching

HIGH VALUE

Frequent retrieval can create:

  • latency
  • API cost
  • throttling

Solutions:

  • SDK caching
  • local cache

Pattern:

Secrets Manager
↓
Cache
↓
Application

Exam trap:

Avoid fetching secrets every request.

Multi-Region Secrets

Supports replication.

Pattern:

flowchart LR

Primary --> Replica1

Primary --> Replica2

Benefits:

  • DR
  • regional resilience
  • lower latency

MASSIVE EXAM TRAP:

Replication ≠ independent secrets.

Primary controls replication.

Deletion Behavior

Secrets support:

  • recovery window
  • scheduled deletion

Default recovery:

7–30 days

Benefit:

Accidental deletion protection.

Event-Driven Secret Operations

flowchart LR

EventBridge

EventBridge --> Lambda

Lambda --> SecretsManager

Use cases:

  • rotate after incident
  • emergency credential reset
  • governance workflows

ECS and EKS Secret Injection

Runtime retrieval.

Pattern:

Container
↓
IAM Role
↓
Secrets Manager
↓
Inject

Benefits:

  • no image secrets
  • reduced exposure

Exam trap:

Never bake secrets into container images.

Lambda Integration

Lambda retrieves secrets:

  • at startup
  • via cache
  • via SDK

Best practice:

Initialize outside handler.

Reduce API calls.

Comparisons

Service Primary Role
Secrets Manager Secret lifecycle
KMS Key management
Parameter Store Configuration
IAM Roles Temporary AWS access
CloudHSM Dedicated crypto

Common Exam Traps

  1. Secrets Manager uses KMS.

  2. Secrets Manager is not KMS.

  3. Rotation commonly requires Lambda.

  4. Runtime retrieval preferred.

  5. Cross-account requires KMS permission.

  6. Avoid environment variable persistence.

  7. Parameter Store is not equal.

  8. Alternating-user rotation minimizes downtime.

  9. IAM Roles preferred for AWS credentials.

  10. Replication is not backup.

  11. Secret versions use labels.

  12. CloudTrail never logs secret values.

  13. Frequent retrieval increases cost.

  14. Recovery window prevents accidental deletion.

  15. Use Secrets Manager for external credentials.

5-Second Recall

  • Secrets Manager = credential lifecycle
  • KMS = encryption
  • Lambda = rotation
  • Runtime retrieval preferred
  • AWSCURRENT = active
  • Cross-account requires KMS
  • Replication ≠ backup
  • IAM Roles for AWS access

Quick Revision Notes

  • Store secrets centrally
  • Encrypt using KMS
  • Rotate automatically
  • Retrieve at runtime
  • Use resource policies for sharing
  • Cache frequently used secrets
  • Prefer alternating-user DB rotation
  • CloudTrail audits access
  • Replicate for DR
  • Never hardcode credentials