AWS Secrets Manager

AWS Secrets Manager stores, rotates, and retrieves secrets — database credentials, API keys, OAuth tokens — via a managed service with IAM-governed access and KMS encryption. It removes the need to check secrets into code or configuration, and makes credential rotation an automated, auditable process.

Key Features:

• Automatic Rotation: Built-in rotation for RDS, Aurora, Redshift, and DocumentDB using Lambda rotation functions; custom rotation for any secret via your own Lambda.
• Versioning with AWSCURRENT / AWSPREVIOUS / AWSPENDING: Zero-downtime rotation — clients always fetch the current version, applications can roll back to previous if needed.
• KMS Encryption: At-rest encryption with AWS-managed or customer-managed KMS keys; cross-account access via resource policies on the CMK.
• Fine-Grained IAM: Per-secret resource policies, tag-based access, and VPC endpoint policies for private retrieval.
• Replication: Multi-region replicas for DR and locality.
• Audit: Every GetSecretValue is logged to CloudTrail for access auditing.

Secrets Manager vs. Parameter Store:

• Systems Manager Parameter Store is free for standard parameters, supports SecureString with KMS, but has no built-in rotation and is limited to 10 KB advanced parameters.
• Secrets Manager costs ~$0.40/secret/month + API calls but adds rotation, cross-region replication, and richer resource policies.
• Rule of thumb: credentials → Secrets Manager; config values → Parameter Store.

Common Patterns:

• Lambda / ECS / EKS Retrieval: Pull secrets at startup via IAM role; cache in-memory for the task lifetime.
• RDS Master Password Rotation: Attach a secret to the RDS instance and enable managed rotation.
• Third-Party API Keys: Store provider keys (Stripe, Datadog, OpenAI) with custom rotation Lambdas.
• Cross-Account Access: Producer account stores secret; consumer accounts retrieve via resource policy and shared KMS key.

Example: Retrieve a Secret

import boto3, json

sm = boto3.client("secretsmanager", region_name="us-west-2")
raw = sm.get_secret_value(SecretId="prod/app/db")["SecretString"]
creds = json.loads(raw)

# creds = {"username": "app", "password": "...", "host": "...", "port": 5432}