AWS Secrets Manager: SAA-C03 Study Guide
AWS Secrets Manager is a specialized service designed to help you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycle. It removes the need to hardcode sensitive information in source code or configuration files.
Core Concepts & Functionality
1. Secret Storage & Encryption
Secrets are stored as encrypted blobs or JSON structures. AWS Secrets Manager uses AWS Key Management Service (KMS) to encrypt the secret data at rest. When an application requests a secret, Secrets Manager decrypts it in memory and sends it over a secure TLS connection.
2. Automatic Rotation
This is the “Killer Feature” for the SAA-C03 exam. Secrets Manager can natively rotate credentials for supported AWS services (RDS, Redshift, DocumentDB). For other services (like custom API keys), you can trigger an AWS Lambda function to perform the rotation logic.
3. Multi-Region Replication
You can replicate secrets to multiple AWS Regions. This is critical for Disaster Recovery (DR) and multi-region application architectures, ensuring that if a primary region fails, the secondary region has the necessary credentials to stay operational.
Secrets Manager vs. SSM Parameter Store
| Feature | AWS Secrets Manager | SSM Parameter Store |
|---|---|---|
| Primary Use | Sensitive secrets (DB passwords, API keys) | Config data and secrets (SecureString) |
| Automatic Rotation | Native support (via Lambda) | No native rotation |
| Cost | $0.40 per secret / month + API costs | Free (Standard) / $0.05 (Advanced) |
| Cross-Account Access | Easier via resource-based policies | More complex (requires IAM roles) |
| Integration | Direct RDS/Redshift/DocumentDB integration | General purpose configuration |
Decision Matrix / If–Then Guide
- IF you need to automatically rotate RDS passwords THEN choose AWS Secrets Manager.
- IF you need a cost-effective way to store non-sensitive config THEN choose SSM Parameter Store.
- IF you need to share secrets across different AWS Accounts THEN use Secrets Manager Resource-based Policies.
- IF your application is multi-region and needs local secret access THEN enable Secrets Manager Replication.
Exam Tips and Gotchas
- Rotation requires Lambda: Even for RDS, AWS creates a Lambda function behind the scenes. If rotation fails, check Lambda permissions or VPC connectivity.
- Versioning: Secrets Manager maintains versions of secrets (Current, Previous, Pending) to ensure that applications don’t break during a rotation window.
- VPC Endpoints: For high security, use Interface VPC Endpoints (PrivateLink) so your traffic doesn’t leave the AWS network.
- CloudTrail Integration: Always mention CloudTrail when the exam asks about auditing who accessed a secret and when.
- Drift: Secrets Manager doesn’t automatically update your application code; your code must call the GetSecretValue API to fetch the latest version.
Topics covered :
Summary of key subtopics covered in this guide:
- Encryption at rest via AWS KMS
- Automated rotation using AWS Lambda
- Secrets Manager vs. SSM Parameter Store comparison
- Multi-region replication for High Availability
- Resource-based policies for cross-account access
- Cost structures and optimization
- Integration with RDS, Redshift, and DocumentDB
Security & Access
Integrates with IAM for identity-based access and Resource-based Policies for cross-account sharing. Uses KMS for envelope encryption.
Caching Strategy
To reduce costs and latency, use the Secrets Manager Client-side Caching library. This minimizes API calls to the service.
When to avoid?
Don’t use Secrets Manager for simple environment variables (e.g., APP_COLOR=blue). Use SSM Parameter Store (Standard) to save $0.40/month per key.
Production Use Case: Multi-Account RDS Access
A centralized Security Account stores database credentials. Production accounts fetch these credentials using a cross-account IAM role. Secrets Manager automatically rotates the password every 30 days, updating the RDS instance and the secret simultaneously, ensuring no downtime for the Production apps.