AWS Secrets Manager vs Systems Manager Parameter Store

AWS Secrets Manager vs Systems Parameter Store

AWS Secrets Manager vs Systems Manager Parameter Store

  • AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources and can easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • AWS Systems Manager Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management and can store data such as passwords, database strings, etc.

AWS Secrets Manager vs Systems Parameter Store

  • Storage (Limits keep on upgrading)
    • AWS Systems Manager Parameter Store allows us to store up to
      • Standard tier – 10,000 parameters, each of which can be up to 4KB
      • Advanced tier – 100,000 parameters, each of which can be up to 8KB
    • AWS Secrets Manager will enable us to store up to 40,000 parameters, each of which can be up to 64kb.
  • Encryption
    • Encryption is optional for Systems Parameter Store
    • Encryption is mandatory for Secrets Manager and you cannot opt out.
  • Automated Secret Rotation
    • System Parameter Store does not support out-of-the-box secrets rotation.
    • AWS Secrets Manager enables database credential rotation on a schedule.
  • Cross-account Access
    • System Parameter Store does not support cross-account access
    • AWS Secrets Manager supports resource-based IAM policies that grant cross-account access.
  • Cost (keeps on changing)
    • Secrets Manager is comparatively costlier than the System Parameter store.
    • AWS Systems Manager Parameter Store comes with no additional cost for the Standard tier.
    • AWS Secrets Manager costs $0.40 per secret per month, and data retrieval costs $0.05 per 10,000 API calls.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
    1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
    2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
    3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
    4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).

References

AWS Secrets Manager

AWS Secrets Manager

AWS Secrets Manager

  • AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
  • enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • secure secrets by encrypting them with encryption keys managed using AWS KMS.
  • offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
  • supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
  • supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
  • enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
  • supports private access using VPC Interface endpoints

AWS Secrets Manager

Secrets Manager with KMS

  • Encryption
    • encrypts a new version of the protected secret data by requesting AWS KMS to generate a new data key from the KMS key.
    • uses this data key for envelope encryption.
    • stores the encrypted data key with the protected secret data.
  • Decryption
    • requests AWS KMS to decrypt the encrypted data key
    • uses the plain text data key to decrypt the protected secret data.
    • never stores the data key in unencrypted form, and always disposes of the data key immediately after use.

Secrets Manager Rotation

  • AWS Secrets Manager enables database credential rotation on a schedule.
  • When Secrets Manager initiates a rotation
    • it uses the provided super database credentials to create a clone user with the same privileges, but with a different password.
    • communicates the clone user information to databases and applications retrieving the database credentials.
    • integrates with CloudWatch Events to send a notification when it rotates a secret.
  • Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.

Secrets Manager vs Systems Parameter Store

AWS Secrets Manager vs Systems Parameter Store

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
    1. AWS WAF
    2. AWS Secrets Manager
    3. AWS Systems Manager
    4. AWS Shield
  2. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
    1. Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
    2. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
    3. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
    4. Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).

References

AWS_Secrets_Manager