AWS Secrets Management: Systems Manager & Secrets Manager

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store.
• Design a secure strategy for automatic credential rotation using AWS Lambda.
• Apply the principle of least privilege to secret access using IAM policies and KMS keys.
• Implement temporary credentials for on-premises and mobile workloads using IAM Roles Anywhere and Cognito.

Key Terms & Glossary

• Secret: A sensitive piece of information (API key, DB password, OAuth token) that must be protected from unauthorized access.
• Parameter: A configuration string or secret managed by SSM, often used for environment-specific variables.
• Rotation: The automated process of updating a secret on a schedule to limit the window of opportunity for an attacker.
• SecureString: A Parameter Store data type that uses KMS to encrypt sensitive values.
• IAM Roles Anywhere: A service that allows on-premises workloads to exchange X.509 certificates for temporary AWS credentials.

The "Big Idea"

The most secure credential is the one you never have to store. In a modern cloud architecture, static, long-lived credentials are a liability. Secrets management is not just about "where" you store a password; it is about automating the lifecycle of that password (creation, distribution, rotation, and revocation) so that manual intervention is eliminated and the risk of leakage is minimized.

Formula / Concept Box

[!TIP] If you need to rotate a database password without downtime, choose AWS Secrets Manager.

Hierarchical Outline

• I. Core AWS Services for Secrets
  • AWS Secrets Manager
    • Native integration with RDS, Redshift, and DocumentDB.
    • Built-in Rotation logic via Lambda functions.
    • Integration with AWS KMS for encryption at rest.
  • AWS Systems Manager (SSM) Parameter Store
    • Standard vs. Advanced parameters.
    • Hierarchical storage (e.g., /prod/db/url).
    • Can act as a proxy/passthrough for Secrets Manager.
• II. Strategy for Temporary Credentials
  • IAM Roles: Best for EC2 and Lambda execution.
  • Amazon Cognito: Best for mobile/web users (Identity Pools).
  • IAM Roles Anywhere: Best for non-AWS/on-premises servers.
• III. Security Best Practices
  • Least Privilege: Use IAM Access Analyzer to refine policies.
  • Automation: Use Infrastructure as Code (CloudFormation) for secret deployment.

Visual Anchors

Secret Retrieval Workflow

Automated Rotation Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={fill=white, font=\small}, align=center] \node (sm) [draw, rectangle, rounded corners, minimum width=3cm] {AWS Secrets Manager \ \textit{(Stores Version)}}; \node (lambda) [draw, rectangle, fill=orange!20, right=of sm] {Lambda \ \textit{(Rotation Logic)}}; \node (db) [draw, cylinder, shape border rotate=90, fill=blue!10, below=of lambda, minimum height=1.5cm] {Target Database};

\draw [->, thick] (sm) -- node[above] {Trigger} (lambda); \draw [->, thick] (lambda) -- node[left] {Update Password} (db); \draw [->, thick] (lambda) |- node[below] {Update Secret} (sm); \end{tikzpicture}

Definition-Example Pairs

• Credential Rotation: The automated replacement of a password.
  • Example: An RDS MySQL password is changed every 30 days by a Lambda function; Secrets Manager updates the application's connection string without a restart.
• Identity Federation: Allowing external identities to access AWS resources.
  • Example: A developer uses an OIDC token from Google to get temporary AWS credentials via a Cognito Identity Pool to upload a file to S3.

Worked Examples

Problem: Securing an RDS Connection

A company has a web application running on EC2. The application currently stores the database password in a plain-text configuration file. The security team requires that the password be rotated every 60 days.

Step-by-Step Breakdown:

1. Migrate to Secrets Manager: Move the hardcoded password into AWS Secrets Manager.
2. Assign IAM Role: Attach an IAM Instance Profile to the EC2 instance with secretsmanager:GetSecretValue permission.
3. Update Application Code: Modify the application to call the Secrets Manager API (using the AWS SDK) instead of reading the local config file.
4. Enable Rotation: Configure the RDS secret in Secrets Manager to rotate every 60 days. Select the "Single User" or "Multi-User" rotation template (AWS provides the Lambda function automatically for RDS).
5. Audit: Use CloudTrail to ensure only the authorized EC2 role is accessing the secret.

Checkpoint Questions

1. What is the main advantage of using Secrets Manager over Parameter Store for a database password?
2. How does IAM Roles Anywhere verify the identity of an on-premises server?
3. True or False: You can retrieve a secret stored in Secrets Manager by using an SSM Parameter Store API call.
4. Which AWS service is best suited for providing temporary credentials to unauthenticated mobile users?

▶Click to view answers

1. Native, automated rotation through Lambda.
2. Through a digital certificate (X.509) issued by a trusted Certificate Authority.
3. True (using the parameter path format /aws/reference/secretsmanager/secret_name).
4. Amazon Cognito Identity Pools.

Muddy Points & Cross-Refs

• Pricing Confusion: Users often choose Parameter Store because the "Standard" tier is free, whereas Secrets Manager costs $0.40 per secret/month. However, for secrets requiring rotation, the operational cost of building custom rotation for Parameter Store usually exceeds the $0.40/mo fee.
• KMS Permissions: A common error is giving a user access to the secret but forgetting to give them kms:Decrypt access on the CMK (Customer Managed Key) used to encrypt that secret.
• Cross-Reference: See the IAM & Governance chapter for more on IAM Access Analyzer and Policy Sentry.

Comparison Tables

Secrets Manager vs. Parameter Store: Decision Matrix