Security

AWS Secrets Manager - Automatic Rotation and Application Integration

Automatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.

約 4 分で読めます

Secrets Manager vs Systems Manager Parameter Store

Secrets Manager is a service for securely storing and managing sensitive information such as database passwords, API keys, and OAuth tokens. The biggest difference from the similar Systems Manager Parameter Store (SecureString) is the availability of automatic rotation. Secrets Manager provides a built-in mechanism for automatically rotating passwords for RDS, Aurora, Redshift, and DocumentDB using Lambda functions. Parameter Store is better suited for managing configuration values and feature flags, and offers a larger free tier compared to Secrets Manager's 0.40 USD per secret per month. The common approach is to use Secrets Manager for credentials that require automatic rotation and Parameter Store for other configuration values.

How Automatic Rotation Works

Automatic rotation is a mechanism where a Lambda function periodically updates the secret value. For RDS and Aurora, you can use AWS-provided Lambda rotation templates. Rotation executes in four steps: createSecret generates a new password, setSecret updates the database password, testSecret verifies connectivity with the new password, and finishSecret switches the secret's version label. Rotation intervals can be set from 1 to 365 days, with 30 or 90 days being common depending on security policy. To prevent downtime during rotation, the alternating users strategy (alternating between two database users) is recommended.

Retrieval Patterns from Applications

The basic pattern for retrieving secrets from applications is using the AWS SDK's GetSecretValue API. In Lambda functions, retrieve the secret during the initialization phase and cache it in a global variable to avoid API calls on every request. AWS-provided caching libraries (aws-secretsmanager-caching for Python, aws-secretsmanager-jdbc for Java) include TTL-based caching and automatic refresh during rotation. For ECS tasks, specifying the Secrets Manager ARN in the task definition's secrets field automatically injects the value as an environment variable at container startup. In CloudFormation templates, use dynamic references ({{resolve:secretsmanager:MySecret}}) to reference secrets without embedding their values directly in the template. For more on password management, you can also explore related books on Amazon.

Secrets Manager Pricing

Secrets Manager pricing consists of approximately 0.40 USD per secret per month and approximately 0.05 USD per 10,000 API calls. Lambda function execution costs for automatic rotation also apply, but given the rotation frequency (every 30-90 days), these are minimal. While more expensive than Parameter Store's SecureString (standard parameters are free), the value of automatic rotation should be factored into the decision. Use the Lambda caching library to reduce API call volume and optimize costs.

Summary

Secrets Manager is a service that automates the lifecycle management of credentials. By enforcing periodic password updates through automatic rotation, controlling access with IAM policies, and encrypting with KMS, it reduces the risk of credential leakage through multiple layers of defense. It eliminates the practice of embedding passwords in code or repositories and enables security best practices to be applied across the entire organization.

Related Services

AWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keysAWS LambdaA serverless compute service that runs code without server managementAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt data

Related Articles

Building a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

AWS Secrets ManagerA service for securely storing, retrieving, and automatically rotating secrets such as database passwords and API keys, eliminating hard-coded credentialsAWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSH