Day - 19 | Secret Management

AWS Services for Secret Management

1️⃣ AWS Secrets Manager (Best for production)

Purpose: Secure storage + automatic rotation

🔹 What it stores

• DB credentials (RDS, Aurora)

• API keys

• OAuth tokens

• Any JSON-based secret

🔹 Key features

• 🔐 Encrypted using KMS

• 🔄 Automatic rotation via Lambda

• 🧾 Versioning & auditing

• 🔑 Fine-grained IAM access

🔹 Example (CLI)

aws secretsmanager create-secret \
  --name prod/db/password \
  --secret-string '{"username":"admin","password":"mypassword"}'

🔹 Access from EC2 / Lambda

aws secretsmanager get-secret-value --secret-id prod/db/password

2️⃣ AWS Systems Manager Parameter Store

Purpose: Config + secrets (simpler & cheaper)

🔹 Types

• String

• StringList

• 🔐 SecureString (encrypted)

🔹 Example

aws ssm put-parameter \
  --name "/prod/db/password" \
  --value "mypassword" \
  --type SecureString

Retrieve:

aws ssm get-parameter \
  --name "/prod/db/password" \
  --with-decryption

🔐 How applications should access secrets

✅ Use IAM roles, not credentials

App (EC2 / ECS / Lambda)
   ↓ (IAM Role)
Secrets Manager / Parameter Store
   ↓
Decrypted secret at runtime

🔁 Secrets Manager vs Parameter Store