AWS Secrets Manager vs Systems Manager Parameter Store
AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources and can easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
AWS Systems Manager Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management and can store data such as passwords, database strings, etc.
Storage (Limits keep on upgrading)
AWS Systems Manager Parameter Store allows us to store up to
Standard tier – 10,000 parameters, each of which can be up to 4KB
Advanced tier – 100,000 parameters, each of which can be up to 8KB
AWS Secrets Manager will enable us to store up to 40,000 parameters, each of which can be up to 64kb.
Encryption
Encryption is optional for Systems Parameter Store
Encryption is mandatory for Secrets Manager and you cannot opt out.
Automated Secret Rotation
System Parameter Store does not support out-of-the-box secrets rotation.
AWS Secrets Manager enables database credential rotation on a schedule.
Cross-account Access
System Parameter Store does not support cross-account access
AWS Secrets Manager supports resource-based IAM policies that grant cross-account access.
Cost (keeps on changing)
Secrets Manager is comparatively costlier than the System Parameter store.
AWS Systems Manager Parameter Store comes with no additional cost for the Standard tier.
AWS Secrets Manager costs $0.40 per secret per month, and data retrieval costs $0.05 per 10,000 API calls.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
AWS Secrets Manager helps protect secrets needed to access applications, services, and IT resources.
enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
secure secrets by encrypting them with encryption keys managed using AWS KMS.
offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios.
stores the encrypted data key with the protected secret data.
Decryption
requests AWS KMS to decrypt the encrypted data key
uses the plain text data key to decrypt the protected secret data.
never stores the data key in unencrypted form, and always disposes of the data key immediately after use.
Secrets Manager Rotation
AWS Secrets Manager enables database credential rotation on a schedule.
When Secrets Manager initiates a rotation
it uses the provided super database credentials to create a clone user with the same privileges, but with a different password.
communicates the clone user information to databases and applications retrieving the database credentials.
integrates with CloudWatch Events to send a notification when it rotates a secret.
Credentials rotation does not impact the already open connections as they are not re-authenticated. Authentication happens when a connection is established.
Secrets Manager vs Systems Parameter Store
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service makes it easy for you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle?
AWS WAF
AWS Secrets Manager
AWS Systems Manager
AWS Shield
A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement password rotation for the databases. Which solution meets this requirement with the LEAST operational overhead?
Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
