Secrets Manager Flashcards

1
Q

Secrets Manager or Parameter Store?

Secrets Manager or Param Store for passwords?

important

A

Secrets Manager (both can handle it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Secrets Manager or Parameter Store?

Secrets Manager or Param Store for API keys?

important

A

Secrets Manager (both can handle it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Secrets Manager or Parameter Store?

Secrets Manager or Param Store to auto-rotate things?

important

A

Secrets Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Secrets Manager or Parameter Store?

Secrets Manager or Param Store for RDS passwords?

A

Secrets Manager (can auto-sync with DB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Secrets Manager or Parameter Store?

Secrets Manager or Param Store for things other than secrets?

A

Parameter Store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Rotation

Big value prop for Secrets Manager over Parameter Store?

A

Secrets rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Rotation

How does Secrets Manager rotate secrets?

important

A

Managed secrets happen by Secrets Manager, custom via your Lambda function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Rotation

When don’t you need a BYOLambda to auto-rotate?

A

RDS, Redshift

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Rotation

How does rotation work with certain databases?

A

Database and SM coordinate, password changed in both (stay in sync)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Rotation

How do you setup a secret for an RDS database + autorotation?

A

Checkbox on console when you create the secret (its all automatic)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Labels

What are labels?

A

Just like git labels: human-friendly pointer to a specific version

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Labels

What labels are maintained automatically by Secrets Manager?

A

AWSCURRENT, AWSPENDING, AWSPREVIOUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Deleting Secrets

What happens when you delete a secret?

A

Gets marked for deletion, secret now inaccessible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Deleting Secrets

How long do you have to undo this deletion?

A

7 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Deleting Secrets

How can you tell if a secret is used?

A

Delete it and use a CloudWatch Alarm to tell you if something tried to access it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Deleting Secrets

Can you get back a deleted secret?

A

Yes, if within the 7 day deprecation period. Simple API call

17
Q

Security

Are secrets encrypted?

A

Yes, all entries in Secrets Manager are encrypted at rest with KMS

18
Q

Security

How are secrets encrypted?

A

KMS with a unique DEK per secret

19
Q

Security

How do you secure a Secret?

A

Resource-based policy on the Secret, or Identity-based policy

20
Q

Security

I updated the Resource policy, but SM rejected it! Why?

A

Might have secretsmanager:BlockPublicPolicy

21
Q

Security

What is Block public policy?

A

Special logic that won’t allow a resource policy if it’s too “open”.

22
Q

Security

How can you re-encrypt a secret that uses aws/secretsmanager key for multi-account access?

A

Easy, just pick a CMK: you can change keys easily.

23
Q

Security

If you change keys, what happens to older versions that use the old key?

A

Have to use the old key to decrypt the secret.

24
Q

Multi-Account, Multi-Region

What about DR and multi-region?

A

Replicate a Secret: has same name in all regions it replicates to.

25
Q

Multi-Account, Multi-Region

What things do you have to setup to get Secret replication working?

A

Just turn it on, it’s all automatic

26
Q

Multi-Account, Multi-Region

Can principals from other accounts access Secrets cross-account?

A

Yes, if secret encrypted wtih CMK and they have access to the CMK

27
Q

Multi-Account, Multi-Region

What AWS services integrate or use Secrets Manager to hold secrets?

A

…all of them :-) 40+ as of May ‘23

28
Q

Multi-Account, Multi-Region

Low-level design for how KMS encrypts and decrypts Secrets?

A

Uses DEKs

29
Q

Multi-Account, Multi-Region

Client-side best practice?

A

Use AWS-provided shim JDBC driver or client library. It caches fetched secrets and re-fetches when a login failure happens.

30
Q

Multi-Account, Multi-Region

What about EC2 instances without routable IPs?

A

Create Secrets Manager Endpoint for VPC (like S3 endpoint).

31
Q

Multi-Account, Multi-Region

So, I have to have a complete other API built into my app?

A

You can reference Secrets in SM from Parameter Store automatically.

32
Q

Versions

When do old versions go away?

A

Auto-delete oldest when you have 100 of them

33
Q

Versions

What’s the exception to the version delete rule?

A

Never deletes anything less than 24 hours old.

34
Q

Versions

Does PutSecretValue create a new version?

A

Yes

35
Q

Versions

Does UpdateSecret create a new version?

A

Yes