Day 89 of 90 Days of DevOps Challenge: AWS Secret Manager

Yesterday, I explored AWS CloudFormation, a service that allows us to provision and manage AWS infrastructure using code (Infrastructure as Code). With CloudFormation, I learned how templates can be used to create, update, and delete entire stacks of resources consistently and repeatably. This makes managing infrastructure at scale both reliable and automated.

Today, I shifted my focus to AWS Secrets Manager, a service designed to securely manage, retrieve, and rotate secrets like database credentials, API keys, and other sensitive information without hardcoding them in applications or config files.

What is AWS Secrets Manager?

AWS Secrets Manager is a fully managed service that helps you protect access to your applications, services, and IT resources without exposing secrets directly in your code. Instead of storing sensitive data in environment variables, files, or code repositories, you store it securely in Secrets Manager and retrieve them programmatically when needed.

This removes a big security risk: if credentials are hardcoded or manually shared, they can easily be leaked or misused. Secrets Manager automates secret storage, retrieval, and even rotation, ensuring that sensitive information stays secure and up to date.

Why do we need AWS Secrets Manager?

• Security First: Storing secrets in plain text is a huge risk. Secrets Manager ensures encryption at rest using AWS KMS (Key Management Service).

• Automatic Rotation: It can automatically rotate credentials (for example, database passwords) on a schedule without downtime.

• Fine-Grained Access Control: With AWS IAM policies, you can tightly control which applications or users can access which secrets.

• Audit & Compliance: Every access request to a secret is logged in AWS CloudTrail, making it easy to track who accessed what and when.

• Simplified Development: Developers don’t need to manually handle secrets. They simply call an API to retrieve the required secret securely.

How does it work?

1. Store Secrets: You create a secret in AWS Secrets Manager, which could be an API key, database username/password, or custom key-value pairs.

2. Encrypt: Secrets are encrypted with AWS KMS automatically.

3. Access Secrets: Applications call the Secrets Manager API (using SDKs, CLI, or Lambda) to securely retrieve secrets at runtime.

4. Rotate Automatically: You can configure automatic rotation of secrets (e.g., change a database password every 30 days). AWS even provides built-in Lambda functions for rotation.

5. Monitor: All interactions are logged in AWS CloudTrail for auditing.

Use Cases of AWS Secrets Manager

• Storing database credentials for RDS, Aurora, or DynamoDB.

• Protecting API keys for third-party services.

• Managing OAuth tokens or other application secrets.

• Automatically rotating passwords and keys to meet compliance requirements.

• Securing multi-environment configurations (Dev, Test, Prod) without exposing credentials in code.

Difference between AWS Secrets Manager and AWS Systems Manager Parameter Store

Both services deal with secret management, but there are key differences:

• Parameter Store: Free (basic tier), good for storing config values and less-sensitive data. No built-in rotation.

• Secrets Manager: Paid service, specifically designed for managing sensitive secrets with rotation and tighter integration for database credentials.

Think of Parameter Store as a general-purpose config manager and Secrets Manager as a specialized vault for sensitive secrets.

Final Thoughts

As DevOps engineers, we constantly balance automation, speed, and security. While CloudFormation (yesterday’s learning) ensures our infrastructure is provisioned consistently as code, AWS Secrets Manager ensures our applications remain secure by design, protecting the keys to our systems.

Using both together, CloudFormation for provisioning and Secrets Manager for securing sensitive data, builds a strong foundation for scalable, reliable, and secure cloud operations.