AWS Secrets Manager
💡 Definition
AWS Secrets Manager helps you protect access to your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
🔑 Key Concepts
- Automated Secret Rotation: Automatically rotates secrets for supported databases (e.g., RDS, Aurora) and other services, improving security by frequently changing credentials.
- Centralized Management: Stores and manages secrets centrally, making it easier to audit and control access.
- Secure Retrieval: Applications retrieve secrets programmatically at runtime, eliminating the need to hardcode sensitive information in source code.
- Encryption: Secrets are encrypted at rest using KMS and in transit using SSL/TLS.
- Fine-grained Access Control: Integrates with IAM to allow precise control over who can access specific secrets.
⚙️ How it Works
You store your secrets in Secrets Manager. For database credentials, you can configure automatic rotation. When an application needs a secret, it makes an API call to Secrets Manager, which retrieves the secret (after successful IAM authentication and authorization) and delivers it to the application. This ensures that secrets are never hardcoded and are rotated regularly.
🎯 Use Cases
- Database Credential Rotation: Automatically rotating credentials for your RDS or Aurora databases.
- API Key Management: Securely storing and retrieving API keys for third-party services.
- Configuration Management: Storing application configuration values securely.
- Compliance: Helping meet security and compliance requirements for secret management.
💰 Pricing Model
- Per Secret: Charged per secret stored per month.
- API Requests: Charged per 10,000 API calls to retrieve secrets.
📝 Exam Tips (CLF-C02)
- Keywords: "Automated secret rotation", "Database credentials", "API keys", "Manage secrets".
- The primary service for securely storing and rotating credentials.
- Helps avoid hardcoding sensitive information in applications.
- Often used with KMS for encryption.
See Also: * IAM * KMS * AWS Systems Manager (Parameter Store is a simpler secret management service) * RDS