AWS Parameter Store & Secrets Manager Flashcards
What is the Parameter Store?
It is part of SSM, it provides secure storage for configuration data and secrets. Values can be stored ast plain text or encrypted using KMS.
Are the parameters in plain text or encrypted?
The parameters are in plain text or encrypted, you get to decide.
I have a configuration for my lambda, where can I securely store it?
You can store it in the parameter store.
I have a configuration for my autoscaling, where can I securely store it?
You can store it in the parameter store.
How is data referenced?
Using a unique name
How is data stored?
In a hierarchy
What types are supported by the parameter store?
- Strings
- StringList
- SecureString
How do you access the parameter store?
Using a LIB that calls the API, this means you can use it in a container, lambda, Ec2, Beanstalk, ECS, EKS, Code Build/Deploy, etc.
What size can parameters be?
- For Standard they can be 4K
- For Advanced they can be 8K
I wnat my parameters to expire after 3mts, how can I do this?
You can not with standard, but you can with advanced
Can I have parameters encrypted?
Yes as a SecureString , this is where KMS is used.
Can I use a Key from another account for parameter encryption?
Yes
I have an instance with an application thet is using a secure and encrypted parameter from the parameter store, you have created a role and attached it to the instance, the role has permissions to access the parameter in the parameter store, but I am getting an error when accessing the parameter, why?
It is because you have not added permissions to KMW form the instance.
Where could I put parameters from my lambda application?
In the parameter store.
I am using CloudFormation and want to be able to have a central location where I can put parameters and have them secure and able to be accessed by CF?
You can use the parameter store.
How can I have the hierarchy in the parameter store?
You can have a real hierarchy but you can have a value with what seems to be separations ‘/’
I wnat to store secret for the RDS DB and have it rotated, how cna I do this?
You cna not have an automatic rotation in parameter store, secrets managed has much better functionality for this.
I want to have been able to use the parameter store to automatically rotate my secrets in my custom database, what is my best option?
Use secret managed, with secrets managed you cna have call lambda when its time to have the secret rotation, with lambda you can run custom code to have the key rotated.
I am using secrets manager and I wnat to monitor a secret and have an alarm sent to me when it is changed, how cna I do this?
You can use secret manged to store the secret and cloud trail to understand the change to any secrets and then use cloudwatch events to trigger an SNS to send an email.
I am using cloud formation with RDS and I wnat to have RDS database secrets, how cna I do this?
It probably best not to use parameter store and use secrets managed instead, this way with secrets manager you get the ability to have secret rotation and Secrets Manager have integration with RDS for the secret rotation.
When using Secrets managed how cna you control access to the secrets?
Use IAM.
How can I distribute parameters to EC2 instances in the autoscaling group?
You can used parameter store.
When using Secrets Manager is a possible to rotate Secrets every 30 days.
Yes, 100% Secrets can be rotated every X number of days
Explain AWS Secrets manager resource-based policies
AWS Secrets Manager Resource-based Policies allow you to control access to secrets by attaching an IAM policy directly to the secret itself, rather than to a user, role, or group. This gives you more flexibility, especially for cross-account access.
🔐 What is a Resource-based Policy?
A resource-based policy is a JSON policy document attached to a specific AWS resource (like a secret in Secrets Manager) that specifies:
- Who can access the resource (via the Principal)
- What actions they can take (via Action)
- Under what conditions (via Condition)
✅ When to Use Resource-based Policies in Secrets Manager
- You want to grant access across AWS accounts.
- You need fine-grained control over secret access without modifying IAM roles/policies in other accounts.
- You want multiple principals to access the same secret with different permissions.
📄 Example Policy: Cross-account access
This policy allows a role in another account to retrieve a secret:
```json
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “CrossAccountAccess”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:role/ExternalAppRole”
},
“Action”: [
“secretsmanager:GetSecretValue”
],
“Resource”: “*”
}
]
}
~~~
📌 Key Actions in Secrets Manager Policies
| Action | Description |
|—————————–|——————————————|
| secretsmanager:GetSecretValue | Retrieve the secret value |
| secretsmanager:DescribeSecret | Get metadata about the secret |
| secretsmanager:PutSecretValue | Store a new version of the secret |
| secretsmanager:DeleteSecret | Schedule deletion of the secret |
🛡️ Best Practices
- Use conditions to restrict access further (e.g., IP, VPC, encryption context).
- Least privilege: only allow specific actions needed.
- Use aws:PrincipalOrgID or VPC conditions to limit exposure.
🧩 Common Use Case Example
You have an app in Account A that needs access to a secret stored in Account B:
1. Create a resource policy on the secret in Account B.
2. Grant permission to the role in Account A.
3. Ensure the role in Account A has permission to call secretsmanager:GetSecretValue.
Want me to walk you through creating one in the AWS Console or via CLI?
When using AWS Secrets manager and you want to rotate um the secret do you have to supply a Lambda function
Yes, this is a requirement; you will have to supply the logic for the Lambda function for the key rotation.
For AWS Secrets Manager, what types of Integrations are available?
AWS Secrets Manager integrates with cloud formation uh, code build ECS EMR fargate EKSparameter store, RDS, and many more.
When using Secrets Manager um is there out of the box support for rotation of RDS keys
when using Secrets manager um is there out of the box support for rotation of RDS keys
