AWS Secrets Management: Systems Manager & Secrets Manager

Learning Objectives

After studying this guide, you should be able to:

Differentiate between AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store.
Design a secure strategy for automatic credential rotation using AWS Lambda.
Apply the principle of least privilege to secret access using IAM policies and KMS keys.
Implement temporary credentials for on-premises and mobile workloads using IAM Roles Anywhere and Cognito.

Key Terms & Glossary

Secret: A sensitive piece of information (API key, DB password, OAuth token) that must be protected from unauthorized access.
Parameter: A configuration string or secret managed by SSM, often used for environment-specific variables.
Rotation: The automated process of updating a secret on a schedule to limit the window of opportunity for an attacker.
SecureString: A Parameter Store data type that uses KMS to encrypt sensitive values.
IAM Roles Anywhere: A service that allows on-premises workloads to exchange X.509 certificates for temporary AWS credentials.

The "Big Idea"

The most secure credential is the one you never have to store. In a modern cloud architecture, static, long-lived credentials are a liability. Secrets management is not just about "where" you store a password; it is about automating the lifecycle of that password (creation, distribution, rotation, and revocation) so that manual intervention is eliminated and the risk of leakage is minimized.

Formula / Concept Box

Feature	AWS Secrets Manager	SSM Parameter Store
Primary Use Case	Complex secrets (DB, API Keys)	Configuration and simple secrets
Automatic Rotation	Native (integrated with Lambda)	No (manual or custom logic)
Cross-Account Access	Easy (Resource-based policies)	Complex (requires IAM Role assumption)
Cost	Paid per secret/month + API calls	Standard is Free; Advanced has costs

[!TIP] If you need to rotate a database password without downtime, choose AWS Secrets Manager.

Hierarchical Outline

I. Core AWS Services for Secrets
- AWS Secrets Manager
  - Native integration with RDS, Redshift, and DocumentDB.
  - Built-in Rotation logic via Lambda functions.
  - Integration with AWS KMS for encryption at rest.
- AWS Systems Manager (SSM) Parameter Store
  - Standard vs. Advanced parameters.
  - Hierarchical storage (e.g., /prod/db/url).
  - Can act as a proxy/passthrough for Secrets Manager.
II. Strategy for Temporary Credentials
- IAM Roles: Best for EC2 and Lambda execution.
- Amazon Cognito: Best for mobile/web users (Identity Pools).
- IAM Roles Anywhere: Best for non-AWS/on-premises servers.
III. Security Best Practices
- Least Privilege: Use IAM Access Analyzer to refine policies.
- Automation: Use Infrastructure as Code (CloudFormation) for secret deployment.

Visual Anchors

Secret Retrieval Workflow

Loading Diagram...

Automated Rotation Architecture

Compiling TikZ diagram…

⏳

Running TeX engine…

This may take a few seconds

Definition-Example Pairs

Credential Rotation: The automated replacement of a password.
- Example: An RDS MySQL password is changed every 30 days by a Lambda function; Secrets Manager updates the application's connection string without a restart.
Identity Federation: Allowing external identities to access AWS resources.
- Example: A developer uses an OIDC token from Google to get temporary AWS credentials via a Cognito Identity Pool to upload a file to S3.

Worked Examples

Problem: Securing an RDS Connection

A company has a web application running on EC2. The application currently stores the database password in a plain-text configuration file. The security team requires that the password be rotated every 60 days.

Step-by-Step Breakdown:

Migrate to Secrets Manager: Move the hardcoded password into AWS Secrets Manager.
Assign IAM Role: Attach an IAM Instance Profile to the EC2 instance with secretsmanager:GetSecretValue permission.
Update Application Code: Modify the application to call the Secrets Manager API (using the AWS SDK) instead of reading the local config file.
Enable Rotation: Configure the RDS secret in Secrets Manager to rotate every 60 days. Select the "Single User" or "Multi-User" rotation template (AWS provides the Lambda function automatically for RDS).
Audit: Use CloudTrail to ensure only the authorized EC2 role is accessing the secret.

Checkpoint Questions

What is the main advantage of using Secrets Manager over Parameter Store for a database password?
How does IAM Roles Anywhere verify the identity of an on-premises server?
True or False: You can retrieve a secret stored in Secrets Manager by using an SSM Parameter Store API call.
Which AWS service is best suited for providing temporary credentials to unauthenticated mobile users?

▶Click to view answers

Native, automated rotation through Lambda.
Through a digital certificate (X.509) issued by a trusted Certificate Authority.
True (using the parameter path format /aws/reference/secretsmanager/secret_name).
Amazon Cognito Identity Pools.

Muddy Points & Cross-Refs

Pricing Confusion: Users often choose Parameter Store because the "Standard" tier is free, whereas Secrets Manager costs $0.40 per secret/month. However, for secrets requiring rotation, the operational cost of building custom rotation for Parameter Store usually exceeds the $0.40/mo fee.
KMS Permissions: A common error is giving a user access to the secret but forgetting to give them kms:Decrypt access on the CMK (Customer Managed Key) used to encrypt that secret.
Cross-Reference: See the IAM & Governance chapter for more on IAM Access Analyzer and Policy Sentry.

Comparison Tables

Secrets Manager vs. Parameter Store: Decision Matrix

Requirement	Recommended Service	Reason
Application Config (API URLs)	SSM Parameter Store	Simple, free, hierarchical.
Database Credentials	Secrets Manager	Automated rotation support.
Cross-Account Secrets	Secrets Manager	Supports Resource-Based Policies for easier access.
Mobile App Temporary Keys	Amazon Cognito	Specialized for identity federation.
On-Premise Machine Access	IAM Roles Anywhere	Exchanges certificates for STS tokens.