1. Secrets Manager

Manages, retrieves, and rotates secrets (DB credentials, API keys). Eliminates hardcoded credentials.

Core Value Never put credentials in code. Store in Secrets Manager. Apps are retrieved at runtime via API. Auto-rotate RDS/Aurora/Redshift/DocumentDB passwords without downtime.

Key Features

  1. Auto-rotation: built-in Lambda for RDS/Aurora/Redshift/DocumentDB. Custom Lambda for others.
  2. Encrypted at rest (KMS mandatory). Cross-account via resource policy.
  3. Cross-Region replication for DR. Versioning: AWSCURRENT + AWSPREVIOUS.
  4. Cost: $0.40/secret/month + $0.05/10K API calls.
Secrets Manager + RDS Auto-Rotation:

1. SM stores RDS credentials
2. On schedule, SM invokes Lambda
3. Lambda changes the password in RDS
4. Lambda updates the secret in SM
5. Apps retrieve new password via API
6. Zero downtime (AWSCURRENT=new, AWSPREVIOUS=old)

2. SSM Parameter Store

Hierarchical storage for configuration data and secrets. Part of AWS Systems Manager.


Key Features

  1. Hierarchical: /app/dev/db/password, /app/prod/db/password
  2. Types: String, StringList, SecureString (encrypted with KMS)
  3. Standard tier: free, 10K params, 4 KB. Advanced: $0.05/param/mo, 100K params, 8 KB.
  4. NO built-in auto-rotation (implement yourself with Lambda + EventBridge)
  5. Version tracking. IAM access control by path prefix.
Parameter Hierarchy:

/myapp/
/myapp/dev/db/host = dev-db.cluster.amazonaws.com
/myapp/dev/db/password = (SecureString) encrypted
/myapp/prod/db/host = prod-db.cluster.amazonaws.com
/myapp/prod/db/password = (SecureString) encrypted

GetParametersByPath(/myapp/prod/) returns all prod params.

3. Secrets Manager vs Parameter Store

Decision Rule Auto-rotate DB credentials? = Secrets Manager. Hierarchical config + budget? = Parameter Store. Both? = Parameter Store for config, Secrets Manager for rotating secrets.

4. Security Decision Table

Exam Tip "Audit key usage" = KMS+CloudTrail. "FIPS L3" = CloudHSM. "Free SSL" = ACM. "CF cert" = us-east-1. "Auto-rotate DB" = Secrets Manager. "Config+secrets cheap" = Parameter Store. "Encrypt >4KB" = Envelope Encryption. "Cross-account key" = CMK. "SSL on EC2" = NOT ACM.