stores the encrypted data key with the protected secret data.
requests AWS KMS to decrypt the encrypted data key
uses the plain text data key to decrypt the protected secret data.
never stores the data key in unencrypted form, and always disposes of the data key immediately after use.
Secrets Manager Rotation
AWS Secrets Manager enables database credential rotation on a schedule.
When Secrets Manager initiates a rotation
it uses the provided super database credentials to create a clone user with the same privileges, but with a different password.
communicates the clone user information to databases and applications retrieving the database credentials.
integrates with CloudWatch Events to send a notification when it rotates a secret.
Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
Secrets Manager vs Systems Parameter Store
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
AWS Secrets Manager
AWS Systems Manager
A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).