Secrets Manager & Parameter Store
Difficulty: medium
Overview
AWS Secrets Manager:
- Auto rotation for RDS, Redshift, DocumentDB. Custom rotation via Lambda.
- Versioning: AWSCURRENT, AWSPENDING, AWSPREVIOUS labels.
- Cross-account via resource policies.
- Cost: $0.40/secret/month.
Parameter Store:
| Standard | Advanced | |
|---|---|---|
| Size | 4 KB | 8 KB |
| Cost | Free | $0.05/param/month |
| TTL policies | No | Yes |
SecureString: Encrypted with KMS.
Hierarchy: /myapp/prod/db-password. GetParametersByPath retrieves all under a prefix.
Secrets Manager vs Parameter Store:
| Secrets Manager | Parameter Store | |
|---|---|---|
| Cost | $0.40/secret | Free (standard) |
| Auto rotation | Built-in | Manual (Lambda) |
| Best for | DB creds, API keys | Config, flags, any secrets |
Practice Linked Questions
Q1. A developer stores an RDS database password in AWS Secrets Manager. The application retrieves it at startup. Six months later, the application breaks because the password changed. What Secrets Manager feature caused this?
Select one answer before revealing.
Q2. A developer needs to store API keys, database passwords, and TLS certificates as configuration values accessible to Lambda functions. Some values are sensitive (must be encrypted); others are non-sensitive. Which service combination is recommended?
Select one answer before revealing.