Study Guide890 words
AWS Certified Data Engineer: Secure Credential Management
Store application and database credentials (for example, Secrets Manager, AWS Systems Manager Parameter Store)
Secure Credential Management: AWS Secrets Manager & SSM Parameter Store
This guide covers the critical task of managing application and database credentials securely within the AWS ecosystem, specifically focusing on AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store as required for the Data Engineer - Associate curriculum.
Learning Objectives
After studying this guide, you should be able to:
- Distinguish between use cases for AWS Secrets Manager and SSM Parameter Store.
- Implement automated credential rotation for RDS and Aurora databases.
- Configure least-privilege IAM policies for accessing sensitive configuration data.
- Utilize CloudFormation dynamic references to inject secrets into infrastructure as code.
- Avoid common anti-patterns like hardcoding credentials or using environment variables for sensitive data.
Key Terms & Glossary
- AWS Secrets Manager: A fully managed service for securing, rotating, and retrieving database credentials, API keys, and OAuth tokens.
- SSM Parameter Store: A capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management.
- Rotation: The automated process of updating a secret (like a password) at regular intervals to minimize the risk of compromised credentials.
- Dynamic Reference: A syntax used in CloudFormation to retrieve values from Secrets Manager or Parameter Store at runtime rather than hardcoding them in templates.
- SecureString: A Parameter Store data type that uses AWS KMS to encrypt sensitive text.
The "Big Idea"
In modern cloud architecture, credentials are treated as external dependencies, not code. By decoupling secrets from the application logic, you improve security posture, enable automated compliance (through rotation), and ensure that the same codebase can run across development, testing, and production environments without modification—simply by pointing to different secret paths.
Formula / Concept Box
| Concept | CloudFormation Dynamic Reference Syntax |
|---|---|
| Secrets Manager | {{resolve:secretsmanager:secret-id:SecretString:json-key:version-stage:version-id}} |
| SSM Parameter | {{resolve:ssm:parameter-name:version}} |
| SSM Secure String | {{resolve:ssm-secure:parameter-name:version}} |
Hierarchical Outline
- The Risks of Hardcoding
- Credential Exposure: Checking secrets into version control (GitHub/CodeCommit).
- Environmental Drift: Difficulty managing different passwords for Dev/Prod.
- AWS Secrets Manager
- Primary Features: Auto-rotation, Multi-region replication, Built-in RDS integration.
- Encryption: Mandatory encryption at rest using AWS KMS.
- Performance: Optimize via client-side caching in AWS SDKs to reduce API costs.
- AWS Systems Manager Parameter Store
- Primary Features: Hierarchical paths (e.g.,
/prod/db/url), version tracking, configuration storage. - Types: String, StringList, and SecureString.
- Primary Features: Hierarchical paths (e.g.,
- Monitoring & Auditing
- CloudTrail: Logs every API call (e.g.,
GetSecretValue). - EventBridge: Triggers alerts or Lambda functions when secrets are accessed or changed.
- CloudTrail: Logs every API call (e.g.,
Visual Anchors
Secret Retrieval Workflow
Loading Diagram...
Secret Versioning Structure
\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, rectangle, rounded corners, fill=blue!10, align=center}] \node (secret) [fill=blue!30] {Secret: \ MyDatabaseSecret}; \node (vcurrent) [below left of=secret, xshift=-1cm] {AWSCURRENT \ (Version 2)}; \node (vprevious) [below right of=secret, xshift=1cm] {AWSPREVIOUS \ (Version 1)};
code
\draw [->, thick] (secret) -- (vcurrent);
\draw [->, thick] (secret) -- (vprevious);
\node (note) [below of=vcurrent, draw=none, fill=none, italic] {\small During rotation, staging \\ labels shift to newest version.};\end{tikzpicture}
Definition-Example Pairs
- Automated Rotation: The ability to change a password without manual intervention.
- Example: A Lambda function automatically updates the master password in an Aurora cluster and simultaneously updates the value in Secrets Manager every 30 days.
- Hierarchical Parameters: Using folder-like paths to organize configuration.
- Example: Storing
/web-app/prod/db-urland/web-app/dev/db-urlin Parameter Store so the app simply looks for the path relative to its environment variable.
- Example: Storing
Worked Examples
Accessing Secrets in Python (Lambda)
To avoid hardcoding, use the boto3 library to fetch secrets at runtime:
python
import boto3
import json
def lambda_handler(event, context):
secret_name = "prod/app/db-creds"
region_name = "us-east-1"
client = boto3.client("secretsmanager", region_name=region_name)
# Fetch the secret
response = client.get_secret_value(SecretId=secret_name)
# Parse the JSON string
creds = json.loads(response['SecretString'])
db_user = creds['username']
db_password = creds['password']
# Use creds to connect to database...Comparison Tables
| Feature | AWS Secrets Manager | SSM Parameter Store |
|---|---|---|
| Primary Purpose | Sensitive secrets (Passwords/Keys) | General config & secrets |
| Auto-Rotation | Native support for RDS/Aurora | Requires custom Lambda |
| Cost | Pay per secret per month + API calls | Standard parameters are Free |
| Max Secret Size | 64 KB | 4 KB (Standard) / 8 KB (Advanced) |
| Cross-Account | Yes (via Resource-based policies) | Yes (via Resource Access Manager) |
Checkpoint Questions
- Which service should you choose if you need to rotate an API key for a third-party SaaS provider every 90 days?
- How does Secrets Manager ensure data is not exposed in CloudTrail logs?
- What is the benefit of using a Dynamic Reference in a CloudFormation template instead of a Parameter?
- Can SSM Parameter Store store a list of non-sensitive environment variables?
▶Click to see answers
- AWS Secrets Manager (It supports custom rotation via Lambda for third-party services).
- CloudTrail logs the metadata (API call, user, timestamp) but never the actual secret value (
SecretString). - It prevents the secret from appearing in the CloudFormation console, logs, or stack descriptions in plaintext.
- Yes, using the
StringorStringListtypes.
Muddy Points & Cross-Refs
- Secrets Manager vs. Parameter Store Cost: Use Parameter Store for standard configurations and non-sensitive data to save costs. Use Secrets Manager only for high-value secrets requiring rotation.
- KMS Integration: Remember that you need permissions for both the secret service (Secrets Manager/SSM) and the KMS key used to decrypt the value.
- Environment Variables: While commonly used, they are visible in the AWS Console and to anyone with
DescribeInstancesorGetFunctionpermissions. Managed services are preferred for high-security environments.