AWS Secrets Manager
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Key Concepts
1. Secret
A secret is any sensitive information that you want to store in Secrets Manager. It can be a set of credentials, such as a username and password, an API key, or an OAuth token. Secrets are stored in a secure, encrypted vault.
2. Automatic Rotation
Secrets Manager can rotate secrets automatically for you. This helps you meet your security and compliance requirements to rotate secrets. Secrets Manager has built-in integration for Amazon RDS, Amazon DocumentDB, and Amazon Redshift. You can also extend Secrets Manager to rotate other types of secrets by creating a custom AWS Lambda function.
3. Fine-grained Access Control
You can control access to secrets using AWS Identity and Access Management (IAM) policies. You can define policies that allow or deny access to specific secrets, and you can also control who can manage secrets.
4. Cross-Region Replication
You can replicate your secrets to multiple AWS Regions to support your multi-region applications and disaster recovery strategies.
5. Auditing and Monitoring
You can use AWS CloudTrail to log all API calls to Secrets Manager. This allows you to audit who is accessing your secrets and when. You can also use Amazon CloudWatch to monitor your secrets and to create alarms that notify you of specific events.
How it Works
- Create a Secret: You create a secret in Secrets Manager and store your sensitive information in it.
- Configure Rotation (Optional): You can configure automatic rotation for your secrets.
- Retrieve the Secret: Your applications can retrieve secrets from Secrets Manager using the Secrets Manager API. Your application code does not need to contain hardcoded credentials.
- Access Control: Secrets Manager uses IAM policies to control access to secrets.
Benefits
- Improve Security Posture: Avoid hardcoding secrets in your application code.
- Meet Compliance Requirements: Rotate secrets automatically to meet your compliance requirements.
- Simplify Secrets Management: Centrally manage and monitor secrets across your organization.
- Pay as you go: You pay for the number of secrets you store and the number of API calls you make.
Comparison with AWS Systems Manager Parameter Store
| Feature | AWS Secrets Manager | AWS Systems Manager Parameter Store |
|---|---|---|
| Primary Use Case | Managing and rotating secrets | Storing configuration data and secrets |
| Rotation | Automatic rotation with Lambda integration | No built-in rotation |
| Cost | Priced per secret per month and per 10,000 API calls | Standard parameters are free. Advanced parameters have a cost. |
| Cross-Region Replication | Built-in | Manual |
| Security | Encrypted by default with AWS KMS | Encrypted with AWS KMS |
| Access Control | IAM policies | IAM policies |