AWS Secrets Manager

• AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
• enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
• secure secrets by encrypting them with encryption keys managed using AWS KMS.
• offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
• supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
• supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
• enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
• supports private access using VPC Interface endpoints
• supports dual-stack (IPv4 and IPv6) endpoints for all regions.
• supports BatchGetSecretValue API to retrieve up to 20 secrets in a single API call, reducing latency and API call costs.
• supports cost allocation tags to categorize and track secret costs by department, team, or application in AWS Cost Explorer.
• supports hybrid post-quantum TLS using ML-KEM to protect secrets against future quantum computing threats.

Secrets Manager with KMS

• Encryption
  • encrypts a new version of the protected secret data by requesting AWS KMS to generate a new data key from the KMS key.
  • uses this data key for envelope encryption.
  • stores the encrypted data key with the protected secret data.
• Decryption
  • requests AWS KMS to decrypt the encrypted data key
  • uses the plain text data key to decrypt the protected secret data.
  • never stores the data key in unencrypted form, and always disposes of the data key immediately after use.

Secrets Manager Rotation

• AWS Secrets Manager enables database credential rotation on a schedule.
• Supports rotation as frequently as every four hours, with configurable rotation windows using cron or rate expressions.
• Rotation can be configured using:
  • Managed rotation – the service configures and manages rotation automatically without Lambda functions (supported for RDS, Aurora, Redshift, DocumentDB).
  • Lambda function rotation – for custom rotation logic using Lambda functions.
  • Managed external secrets rotation – for third-party credentials (e.g., Salesforce, MongoDB Atlas, Confluent Cloud) without Lambda functions.
• Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
• integrates with CloudWatch Events/EventBridge to send a notification when it rotates a secret.

Rotation Strategies

• Single user rotation
  • Updates credentials for one user in one secret.
  • The user’s password is changed in both the secret and the database.
  • Recommended when cloned users don’t have the same permissions, or for ad hoc/interactive users.
  • Brief period of potential sign-in failure between rotation and propagation.
• Alternating users rotation
  • Creates a clone user with identical privileges but different password.
  • Alternates between two users on each rotation.
  • Requires a separate secret with superuser credentials.
  • Provides higher availability as the old version remains valid until next rotation.

Managed External Secrets

• Introduced in November 2025, managed external secrets extend managed rotation to third-party SaaS credentials.
• Enables centralized management and automatic rotation of credentials for third-party software providers directly from Secrets Manager.
• No Lambda functions required – rotation is fully managed by Secrets Manager.
• Supports standardized formats and multiple rotation strategies per SaaS provider.
• Supported providers include Salesforce, MongoDB Atlas, and Confluent Cloud (expanding).
• Eliminates the need for provider-specific custom rotation logic.

Secrets Manager Agent & Workload Credentials Provider

• Secrets Manager Agent (released July 2024)
  • Language-agnostic local HTTP service that pulls and caches secrets in compute environments.
  • Exposes a localhost endpoint (port 2773) for applications to retrieve secrets from in-memory cache.
  • Reduces API calls and improves application availability.
  • Default cache TTL of 300 seconds (configurable).
  • Open source and supports pre-fetching secrets at startup and IAM role assumption (May 2026).
  • Supports hybrid post-quantum TLS (ML-KEM) by default since version 2.0.
  • Works with EC2, ECS, EKS, Lambda, and on-premises/multi-cloud environments.
• AWS Workload Credentials Provider (released June 2026)
  • Unified lightweight client-side provider that automates deployment of ACM certificates and caching of Secrets Manager secrets.
  • Maintains full backwards compatibility with Secrets Manager Agent.
  • Works across AWS and non-AWS workloads through a single unified provider.
  • Uses post-quantum ML-KEM key exchange by default.

Secrets Manager Security Features

• Post-Quantum TLS
  • Supports hybrid post-quantum key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) for TLS connections.
  • Combines traditional cryptography (X25519) with post-quantum algorithms to protect against “harvest now, decrypt later” threats.
  • Service-side support launched in 2025; client-side support extended in April 2026.
  • Secrets at rest are already quantum-safe (symmetric encryption via KMS).
• API Rate Limits (March 2025)
  • GetSecretValue: up to 10,000 requests per second
  • DescribeSecret: up to 40,000 requests per second
• Managed Policies
  • SecretsManagerReadWrite – full access including redshift-serverless permission (March 2024).
  • AWSSecretsManagerClientReadOnlyAccess – read-only access for client applications, includes BatchGetSecretValue and ListSecrets (November 2025, updated June 2026).

Client-Side Caching

• Caching libraries available for Java, Python, .NET, Go, and Rust.
• Improves speed, availability, and reduces costs by minimizing API calls.
• Default cache refresh interval is one hour (configurable).
• Does not include cache invalidation – if a secret rotates before TTL expires, stale values may be returned.
• For containerized workloads, client-side caching allows credential rotation without restarting containers.

Secrets Manager vs Systems Manager Parameter Store

• Key Differences:
  • Secrets Manager is designed specifically for secrets with built-in rotation; Parameter Store is a general-purpose configuration store.
  • Secrets Manager supports managed rotation (no Lambda needed for supported databases); Parameter Store requires custom Lambda for rotation.
  • Secrets Manager charges per secret ($0.40/month) and per API call ($0.05/10K calls); Parameter Store Standard tier is free.
  • Secrets Manager supports cross-region replication natively; Parameter Store does not.
  • Secrets Manager supports BatchGetSecretValue; Parameter Store supports GetParameters (up to 10).
• AWS Recommendation (2025): Use Secrets Manager for secrets, Parameter Store for simple key-value configuration, and AWS AppConfig for feature flags and advanced dynamic configuration.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

References

• AWS Secrets Manager
• AWS Secrets Manager User Guide
• Rotating Secrets
• Managed External Secrets
• Secrets Manager Agent
• Post-Quantum TLS