Secrets Manager Flashcards
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for passwords?
important
Secrets Manager (both can handle it)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for API keys?
important
Secrets Manager (both can handle it)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store to auto-rotate things?
important
Secrets Manager
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for RDS passwords?
Secrets Manager (can auto-sync with DB)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for things other than secrets?
Parameter Store
Rotation
Big value prop for Secrets Manager over Parameter Store?
Secrets rotation
Rotation
How does Secrets Manager rotate secrets?
important
Managed secrets happen by Secrets Manager, custom via your Lambda function
Rotation
When don’t you need a BYOLambda to auto-rotate?
RDS, Redshift
Rotation
How does rotation work with certain databases?
Database and SM coordinate, password changed in both (stay in sync)
Rotation
How do you setup a secret for an RDS database + autorotation?
Checkbox on console when you create the secret (its all automatic)
Labels
What are labels?
Just like git labels: human-friendly pointer to a specific version
Labels
What labels are maintained automatically by Secrets Manager?
AWSCURRENT
, AWSPENDING
, AWSPREVIOUS
Deleting Secrets
What happens when you delete a secret?
Gets marked for deletion, secret now inaccessible
Deleting Secrets
How long do you have to undo this deletion?
7 days
Deleting Secrets
How can you tell if a secret is used?
Delete it and use a CloudWatch Alarm to tell you if something tried to access it
Deleting Secrets
Can you get back a deleted secret?
Yes, if within the 7 day deprecation period. Simple API call
Security
Are secrets encrypted?
Yes, all entries in Secrets Manager are encrypted at rest with KMS
Security
How are secrets encrypted?
KMS with a unique DEK per secret
Security
How do you secure a Secret?
Resource-based policy on the Secret, or Identity-based policy
Security
I updated the Resource policy, but SM rejected it! Why?
Might have secretsmanager:BlockPublicPolicy
Security
What is Block public policy?
Special logic that won’t allow a resource policy if it’s too “open”.
Security
How can you re-encrypt a secret that uses aws/secretsmanager
key for multi-account access?
Easy, just pick a CMK: you can change keys easily.
Security
If you change keys, what happens to older versions that use the old key?
Have to use the old key to decrypt the secret.
Multi-Account, Multi-Region
What about DR and multi-region?
Replicate a Secret: has same name in all regions it replicates to.
Multi-Account, Multi-Region
What things do you have to setup to get Secret replication working?
Just turn it on, it’s all automatic
Multi-Account, Multi-Region
Can principals from other accounts access Secrets cross-account?
Yes, if secret encrypted wtih CMK and they have access to the CMK
Multi-Account, Multi-Region
What AWS services integrate or use Secrets Manager to hold secrets?
…all of them :-) 40+ as of May ‘23
Multi-Account, Multi-Region
Low-level design for how KMS encrypts and decrypts Secrets?
Uses DEKs
Multi-Account, Multi-Region
Client-side best practice?
Use AWS-provided shim JDBC driver or client library. It caches fetched secrets and re-fetches when a login failure happens.
Multi-Account, Multi-Region
What about EC2 instances without routable IPs?
Create Secrets Manager Endpoint for VPC (like S3 endpoint).
Multi-Account, Multi-Region
So, I have to have a complete other API built into my app?
You can reference Secrets in SM from Parameter Store automatically.
Versions
When do old versions go away?
Auto-delete oldest when you have 100 of them
Versions
What’s the exception to the version delete rule?
Never deletes anything less than 24 hours old.
Versions
Does PutSecretValue create a new version?
Yes
Versions
Does UpdateSecret create a new version?
Yes