Skip to content

Secrets Manager

Links: 101 AWS SAA Index
Recommended Reads: SSM Parameter Store vs Secrets Manager

Secrets Manager

  • It is a newer service and came out after SSM parameter store
  • The sole purpose is to store secrets.
  • We have the capability to force rotation of secrets every X days. This cannot be done with SSM Parameter Store.
    • Automatic rotation is done with the help of a lambda function.
  • Automate the generation of secrets on rotation (uses lambda)
  • Secrets are encrypted using KMS
  • Integration with AWS RDS.
Mostly meant for secrets RDS integration and rotation
Whenever you see the word rotated with secrets always go with Secrets Manager over SSM Parameter Store.

Secrets Manager Monitoring (SOA)

  • CloudTrail captures API calls to the Secrets Manager API and other related events that might have a security or compliance impact on your AWS account or might help you troubleshoot operational problems.
  • CloudTrail records these events as non-API service events:
    • RotationStarted event
    • RotationSucceeded event
    • RotationFailed event
    • RotationAbandoned event - a manual change to a secret instead of automated rotation
    • StartSecretVersionDelete event
    • CancelSecretVersionDelete event
    • EndSecretVersionDelete event
  • Combine with CloudWatch Logs and CloudWatch alarms for automations.
    • attachments/Pasted image 20230307080502.jpg

  • Rotation failed events are important.

  • Troubleshooting rotation:

    • attachments/Pasted image 20230307080444.jpg

Last updated: 2023-03-07