Credential Management and Secret Rotation with AWS Secrets Manager

This study guide covers the centralized management of sensitive information such as database credentials, API keys, and OAuth tokens using AWS Secrets Manager, focusing on the lifecycle of a secret from creation to automated rotation.

Learning Objectives

• Define the purpose and primary use cases for AWS Secrets Manager.
• Configure a new secret using key-value pairs and KMS encryption.
• Implement automated rotation for both native AWS services and custom applications.
• Distinguish between AWS Secrets Manager and Systems Manager Parameter Store.
• Architect cross-region secret replication for disaster recovery.

Key Terms & Glossary

• Secret: A protected resource containing sensitive data (e.g., JSON string with username and password).
• Rotation: The automated process of updating a secret's value at regular intervals to minimize the risk of compromise.
• KMS (Key Management Service): The underlying service Secrets Manager uses to encrypt secret values at rest.
• Resource-based Policy: A policy attached directly to a secret that defines who (which IAM roles or users) can access it.
• Replication: Copying a secret to other AWS Regions to support global applications and business continuity.

The "Big Idea"

In modern cloud architecture, hardcoding credentials is a critical security vulnerability. AWS Secrets Manager transforms credentials from "static strings in code" to "dynamic resources accessed via API." This allows security teams to change passwords frequently without ever touching the application code or restarting servers, significantly reducing the blast radius of a potential credential leak.

Formula / Concept Box

Hierarchical Outline

• I. Secret Creation & Storage
  • Secret Types: Database credentials (RDS, Redshift, DocumentDB) or "Other" (API keys).
  • Data Formats: Key-Value pairs (recommended) or Plaintext.
  • Encryption: Integrated with AWS KMS; secrets are decrypted only in memory during retrieval.
• II. Access Control
  • IAM Policies: Grant secretsmanager:GetSecretValue to specific execution roles.
  • Resource Policies: Optional cross-account access control attached to the secret.
• III. Rotation Mechanism
  • Native Rotation: Out-of-the-box support for RDS, Redshift, and DocumentDB.
  • Custom Rotation: Uses AWS Lambda to update third-party APIs or on-premises DBs.
• IV. Global Availability
  • Replication: Primary secrets can be replicated to secondary regions.
  • Sync: Updates to the primary secret (including rotation) automatically propagate to replicas.

Visual Anchors

Application Secret Retrieval Flow

Secret Rotation Lifecycle

\begin{tikzpicture}[node distance=2cm, auto] \draw[->, thick] (0,0) arc (180:-150:1.5cm) node[midway, above] {Rotation Interval (e.g., 30 Days)}; \node (start) at (0,0) [draw, rectangle, rounded corners] {Active Secret}; \node (lambda) at (4,0) [draw, diamond, aspect=2] {Lambda Trigger}; \node (new) at (8,0) [draw, rectangle, rounded corners] {New Credentials}; \draw[->] (start) -- (lambda); \draw[->] (lambda) -- node {Update DB} (new); \draw[->] (new) -- +(0,-1.5) -| (start) node[pos=0.25, below] {Version Label Update}; \end{tikzpicture}

Definition-Example Pairs

• Definition: Native Rotation
  • Example: Configuring Secrets Manager to automatically change an Amazon RDS for PostgreSQL password every 30 days without writing any custom code.
• Definition: Key-Value Secret
  • Example: Storing a SendGrid API key with the Key as SENDGRID_API_KEY and the Value as SG.x789... for easy programmatic retrieval.
• Definition: Cross-Region Replication
  • Example: An application running in us-east-1 and eu-west-1 uses a single secret replicated to both regions to ensure local low-latency access and failover capability.

Worked Examples

Creating a Secret for a Third-Party API

1. Console Access: Navigate to Secrets Manager and select Store a new secret.
2. Secret Type: Choose Other type of secret (since it's not a native AWS DB).
3. Data Entry: Select Key/Value. Enter Key: ApiKey, Value: EXAMPLE-SECRET-TOKEN-123.
4. Encryption: Select the default aws/secretsmanager KMS key.
5. Naming: Name it production/payment-gateway/token.
6. Rotation: Disable automatic rotation (unless a custom Lambda is already prepared for this specific API).
7. Review: Save the secret and note the Secret ARN for IAM policy configuration.

Checkpoint Questions

1. What service must Secrets Manager interact with to ensure secrets are not stored in plaintext at rest?
2. If you need to rotate a secret for an Oracle database running on an EC2 instance, what additional AWS service is required?
3. True or False: Secrets Manager automatically updates the password in your application's config.php file when rotation occurs.
4. Which feature allows a secret created in us-east-1 to be available in us-west-2 for disaster recovery?

Comparison Tables

Secrets Manager vs. Systems Manager Parameter Store

Muddy Points & Cross-Refs

• Secret Versions: Beginners often struggle with how Secrets Manager handles rotation without downtime. It uses version labels (e.g., AWSCURRENT, AWSPREVIOUS). The app always asks for AWSCURRENT. During rotation, a new version is created, and the label is swapped only after the database update is confirmed.
• VPC Endpoints: If your application is in a private subnet without an IGW, you must configure an Interface VPC Endpoint for Secrets Manager to allow the app to reach the service.
• Cross-Ref: For more on how to authorize apps to read these secrets, see the IAM Policies & Roles study guide.