AWS Secrets Manager Cheat Sheet

• AWS Secrets Manager is a secret management service that enables you to securely rotate, manage, and retrieve database credentials, API keys, OAuth tokens, and other secrets throughout their lifecycle. It eliminates the need to hard-code credentials in applications and improves security posture.

Features

• Encryption & Secure Transmission: Secrets are encrypted at rest using AWS KMS keys (customer-managed or default) and transmitted securely over TLS.
• Secret Rotation: Rotate secrets on schedule or on demand via console, AWS SDK, or CLI.
• Native Rotation Support: Automatically rotate credentials for Amazon RDS, Amazon DocumentDB, and Amazon Redshift.
• Custom Rotation: Extend rotation to other secrets (e.g., Oracle on EC2, OAuth tokens) using custom Lambda functions.

• Secret Metadata:
  • Name, description, ARN.
  • KMS key ARN used for encryption/decryption.
  • Rotation frequency and Lambda rotation function.
  • Tags for logical grouping, cost allocation, and ABAC.
• Secret Versions & Staging Labels:
  • Multiple versions can exist; usually one active (AWSCURRENT).
  • Versions tracked with staging labels: AWSPENDING, AWSCURRENT, AWSPREVIOUS.
  • Older versions remain available until rotation completes.
• Supported Secrets: Database credentials, on-premises credentials, SaaS credentials, API keys, SSH keys, JSON documents.
• Client-Side Caching: Secrets can be cached and updated during rotations.
• Cross-Region Replication: Copy secrets to multiple AWS Regions, including metadata, tags, and rotation settings.

How Secret Rotation Works

1. Create Rotation Function: Lambda function generates a new credential set (AWSPENDING) and stores it as a new secret version.
2. Test New Secret: Function validates AWSPENDING credentials with the secured service.
3. Update Staging Labels: If successful, AWSCURRENT label moves to the new version; old version receives AWSPREVIOUS.
4. Client Update: Applications automatically start using the new secret.
5. Version Retention: Multiple previous versions can coexist until deprecated manually or automatically.

Network Setup Notes:

• Lambda rotation functions can run inside or outside VPCs.

• VPC Interface Endpoints can be used for private access to Secrets Manager without NAT.

• CloudFormation templates are optional; rotation can be configured directly via console or API.

AWS Secrets Manager Security

• • By default, Secrets Manager does not write or cache the secret to persistent storage.
  • By default, Secrets Manager only accepts requests from hosts that use the open standard Transport Layer Security (TLS) and Perfect Forward Secrecy.
  • You can control access to the secret using AWS Identity and Access Management (IAM) policies. 
  • You can tag secrets individually and apply tag-based access controls.
  • You can configure VPC endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
  • Secrets Manager does not immediately delete secrets. Instead, Secrets Manager immediately makes the secrets inaccessible and scheduled for deletion after a recovery window of a minimum of seven days. Until the recovery window ends, you can recover a secret you previously deleted. 
  • By using the CLI, you can delete a secret without a recovery window.

AWS Secrets Manager Compliance

• • Secrets Manager is HIPAA, PCI DSS and ISO, SOC, FedRAMP, DoD SRG, IRAP, and OSPAR compliant.

AWS Secrets Manager Pricing

• • Pay per secret stored per month.

  • Pay per 10,000 API calls per month.

  • No extra cost for secret replication across regions.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Validate Your Knowledge

Question 1

A Security Engineer refactored an application to remove the hardcoded Amazon RDS database credential from the application and store it to AWS Secrets Manager instead. The application works fine after the code change. For improved data security, the Engineer enabled rotation of the credential in Secrets Manager and then set the rotation to change every 30 days. The change was done successfully without any issues but after a short while, the application is getting an authentication error whenever it connects to the database.

What is the MOST likely cause of this issue?

1. The Security Engineer doesn’t have the required AWS CloudHSM permissions. The AWS Secrets Manager encrypts the protected text of a secret by using AWS CloudHSM.
2. Enabling rotation in AWS Secrets Manager causes the secret to rotate immediately.
3. The Security Engineer doesn’t have a SecretsManagerReadWrite permission.
4. IAM DB Authentication was accidentally turned off.

Show me the answer!

Correct Answer: 2

You can configure AWS Secrets Manager to automatically rotate the secret for an Amazon RDS database. Secrets Manager uses a Lambda function Secrets Manager provides. When you enable rotation for a secret with Credentials for RDS database as the secret type, Secrets Manager automatically creates and configures a Lambda rotation function for you. Then Secrets Manager equips your secret with the Amazon Resource Name (ARN) of the function. Secrets Manager creates the IAM role associated with the function and configures the role with all of the required permissions. Alternatively, if you use the same rotation strategy with another secret, and you want to use the same rotation with your new secret, you can specify the ARN of the existing function and use it for both secrets.

If you run your Amazon RDS DB instance in a VPC provided by Amazon VPC and the VPC doesn’t have public Internet access then Secrets Manager also configures the Lambda function to run within that VPC. Secrets Manager also requires that the Lambda rotation function must be able to access a Secrets Manager service endpoint to call the required API operations. If one or more of your resources in the VPC must communicate with the Internet then you can configure the VPC with a NAT gateway to enable the Lambda rotation function to query the public Secrets Manager service endpoint. If you have no requirement to communicate with the Internet, you can configure the VPC with a private Secrets Manager service endpoint accessible from within the VPC.

You can enable rotation for a secret with credentials for a supported Amazon RDS database by using the AWS Secrets Manager console, the AWS CLI, or one of the AWS SDKs. Secrets Manager encrypts the protected text of a secret by using the AWS Key Management Service (AWS KMS).

Enabling rotation causes the secret to rotate once immediately when you save the secret. Before you enable rotation, be sure you update all of your applications using this secret credentials to retrieve the secret from Secrets Manager. The original credentials might not be usable after the initial rotation. Any applications that you fail to update break as soon as the old credentials become invalid.

Hence, the correct answer is: Enabling rotation in AWS Secrets Manager causes the secret to rotate immediately.

The option that says: The Security Engineer doesn’t have the required AWS CloudHSM permissions. The AWS Secrets Manager encrypts the protected text of a secret by using AWS CloudHSM is incorrect because AWS Secrets Manager actually encrypts the secret using AWS KMS, and not AWS CloudHSM.

The option that says: The Security Engineer doesn’t have a SecretsManagerReadWrite permission is incorrect because the scenario said that the Engineer successfully enabled the rotation in AWS Secrets Manager without any issues. This means that the Engineer has all of the required IAM permissions needed.

The option that says: IAM DB Authentication was accidentally turned off is incorrect because this feature simply allows users to connect to Amazon RDS with IAM credentials. The secrets in AWS Secrets Manager are not IAM credentials hence, the IAM DB Authentication is irrelevant in this scenario.

References:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-rds.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

AWS Secrets Manager Cheat Sheet References:

https://aws.amazon.com/secrets-manager/
https://aws.amazon.com/secrets-manager/faqs/
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
Understanding AWS Secrets Manager