AWS Secrets Manager
- AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
- enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
- secure secrets by encrypting them with encryption keys managed using AWS KMS.
- offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
- supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
- supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
- enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
- supports private access using VPC Interface endpoints
Secrets Manager with KMS
- Encryption
- encrypts a new version of the protected secret data by requesting AWS KMS to generate a new data key from the KMS key.
- uses this data key for envelope encryption.
- stores the encrypted data key with the protected secret data.
- Decryption
- requests AWS KMS to decrypt the encrypted data key
- uses the plain text data key to decrypt the protected secret data.
- never stores the data key in unencrypted form, and always disposes of the data key immediately after use.
Secrets Manager Rotation
- AWS Secrets Manager enables database credential rotation on a schedule.
- When Secrets Manager initiates a rotation
- it uses the provided super database credentials to create a clone user with the same privileges, but with a different password.
- communicates the clone user information to databases and applications retrieving the database credentials.
- integrates with CloudWatch Events to send a notification when it rotates a secret.
- Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
Secrets Manager vs Systems Parameter Store
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
- AWS WAF
- AWS Secrets Manager
- AWS Systems Manager
- AWS Shield
- A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
- Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
- Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
- Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
- Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).