Secrets Manager Flashcards
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for passwords?
important
Secrets Manager (both can handle it)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for API keys?
important
Secrets Manager (both can handle it)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store to auto-rotate things?
important
Secrets Manager
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for RDS passwords?
Secrets Manager (can auto-sync with DB)
Secrets Manager or Parameter Store?
Secrets Manager or Param Store for things other than secrets?
Parameter Store
Rotation
Big value prop for Secrets Manager over Parameter Store?
Secrets rotation
Rotation
How does Secrets Manager rotate secrets?
important
Managed secrets happen by Secrets Manager, custom via your Lambda function
Rotation
When don’t you need a BYOLambda to auto-rotate?
RDS, Redshift
Rotation
How does rotation work with certain databases?
Database and SM coordinate, password changed in both (stay in sync)
Rotation
How do you setup a secret for an RDS database + autorotation?
Checkbox on console when you create the secret (its all automatic)
Labels
What are labels?
Just like git labels: human-friendly pointer to a specific version
Labels
What labels are maintained automatically by Secrets Manager?
AWSCURRENT
, AWSPENDING
, AWSPREVIOUS
Deleting Secrets
What happens when you delete a secret?
Gets marked for deletion, secret now inaccessible
Deleting Secrets
How long do you have to undo this deletion?
7 days
Deleting Secrets
How can you tell if a secret is used?
Delete it and use a CloudWatch Alarm to tell you if something tried to access it