Secrets & Credentials Management
Difficulty: medium
Overview
Proper secrets management prevents credential exposure and enables automated rotation.
AWS Secrets Manager:
- Stores and manages secrets (DB credentials, API keys, OAuth tokens)
- Automatic rotation: Lambda-based; built-in support for RDS, Redshift, DocumentDB
- Rotation lifecycle (Lambda steps): createSecret → setSecret → testSecret → finishSecret
- Versioning: AWSCURRENT (active), AWSPENDING (during rotation), AWSPREVIOUS (recent old)
- Cross-account access: Via resource-based policies on the secret
- Cost: $0.40/secret/month + $0.05 per 10,000 API calls
Secrets Manager Rotation Process:
- Lambda creates new credentials (AWSPENDING)
- Lambda updates the target service (e.g., RDS user password)
- Lambda tests the new credentials
- If test passes: AWSPENDING becomes AWSCURRENT; old AWSCURRENT becomes AWSPREVIOUS
AWS Systems Manager Parameter Store:
| Tier | Max Size | Cost | TTL Policies | Throughput |
|---|---|---|---|---|
| Standard | 4 KB | Free | ❌ | 40 TPS |
| Advanced | 8 KB | $0.05/param/month | ✅ | 100 TPS |
- String: Plain text
- StringList: Comma-separated values
- SecureString: Encrypted with KMS (free for standard tier with AWS managed key; CMK has cost)
- Hierarchy: /app/env/key — GetParametersByPath retrieves all under prefix
Secrets Manager vs Parameter Store:
| Secrets Manager | Parameter Store | |
|---|---|---|
| Auto rotation | Built-in (Lambda) | Manual Lambda required |
| Cost | $0.40/secret | Free (standard) |
| Cross-account | Resource policy | ❌ (not supported natively) |
| Best for | DB creds, API keys needing rotation | Config, flags, secrets without auto-rotation |
Best Practices:
- Never hardcode credentials in code or environment variables
- Use instance profiles (EC2), task roles (ECS), or execution roles (Lambda) for AWS service access
- Enable Secrets Manager rotation with a short window (e.g., 30 days)
- Use Parameter Store hierarchy for application configuration per environment
Practice Linked Questions
Q1. AWS Secrets Manager is configured to automatically rotate an RDS database password every 30 days. What happens to application connectivity DURING the rotation window?
Select one answer before revealing.
Q2. A developer needs to store a database password that must be automatically rotated every 30 days and support cross-account access from Lambda functions. Which service is MOST appropriate?
Select one answer before revealing.
Q3. A Lambda function in Account A needs to retrieve a secret stored in AWS Secrets Manager in Account B. What configuration is required?
Select one answer before revealing.
Q4. A Lambda function retrieves application configuration values using the path /myapp/prod/. Which SSM Parameter Store API retrieves ALL parameters under this path in a single API call?
Select one answer before revealing.
Q5. What is the correct sequence of steps that a Secrets Manager rotation Lambda function MUST implement?
Select one answer before revealing.