2.3.3 Secret Management Services

Secrets Manager vs SSM Parameter Store

So sánh

Secrets ManagerSSM Parameter Store
Rotation✅ Built-in (Lambda)❌ Manual (Lambda + EventBridge)
RDS integration✅ Auto-rotate DB passwords
Pricing$0.40/secret/month + $0.05/10K API callsFree (Standard) / $0.05/advanced
Cross-account✅ Resource policy
Max size64KB4KB (Standard) / 8KB (Advanced)
Hierarchy/app/dev/db-password
Versioning✅ (staging labels)
Encryption✅ KMS (mandatory)✅ KMS (optional for SecureString)

Khi nào dùng cái nào?

ScenarioChọn
DB credentials cần auto-rotationSecrets Manager
Cross-account secret sharingSecrets Manager
Simple config values, feature flagsParameter Store
Non-rotating secrets, cost-sensitiveParameter Store
Hierarchical config (/app/env/key)Parameter Store

Secrets Manager — Auto Rotation

1. Secrets Manager → Invoke Lambda rotation function
2. Lambda → Create new secret version (AWSPENDING)
3. Lambda → Update resource (e.g., RDS password)
4. Lambda → Test new credentials
5. Lambda → Mark as AWSCURRENT
  • Built-in rotation cho RDS, Redshift, DocumentDB
  • Custom rotation Lambda cho other secrets
  • Rotation schedule: days hoặc cron expression

Parameter Store — Usage

import boto3

ssm = boto3.client('ssm')

# Get parameter
response = ssm.get_parameter(
    Name='/myapp/prod/db-host',
    WithDecryption=True  # For SecureString
)
value = response['Parameter']['Value']

# Get parameters by path
response = ssm.get_parameters_by_path(
    Path='/myapp/prod/',
    Recursive=True,
    WithDecryption=True
)

Lambda Environment Variables

  • Mặc định encrypted at rest (AWS managed key)
  • Custom encryption: KMS CMK + encryption helpers
  • Best practice: Dùng Secrets Manager/SSM thay vì env vars cho secrets

Exam Tip: Cần rotation → Secrets Manager. Cần hierarchy → Parameter Store. DB credentials → Secrets Manager (built-in RDS rotation). Cost-sensitive → Parameter Store (free tier).