セキュリティ

AWS Secrets Manager

A service for securely storing, retrieving, and automatically rotating secrets such as database passwords and API keys, eliminating hard-coded credentials

About 3 min read

Overview

AWS Secrets Manager is a service for securely storing secrets used by applications (database passwords, API keys, OAuth tokens, etc.) and retrieving them programmatically. Secrets are encrypted at rest with KMS, and access is controlled through IAM policies. Its standout feature is automatic rotation, which uses Lambda functions to automatically rotate passwords for RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB), Redshift, and DocumentDB. Rotation intervals can be configured from 1 to 365 days.

How Automatic Rotation Works

Secrets Manager's automatic rotation is performed by a Lambda function in four steps. The createSecret step generates a new password and stores it in Secrets Manager with the AWSPENDING label. The setSecret step changes the database password to the new value. The testSecret step verifies that the new password can successfully connect to the database. The finishSecret step changes the AWSPENDING label to AWSCURRENT and moves the old password to AWSPREVIOUS. For RDS, AWS provides rotation Lambda function templates, so you don't need to write custom code. To prevent downtime during rotation, a multi-user rotation strategy (alternating between two users) is also available.

Choosing Between Secrets Manager and Parameter Store

Secrets Manager and Systems Manager Parameter Store can both store secrets, but they serve different purposes. Secrets Manager is ideal for secrets that require automatic rotation (database passwords, API keys). Pricing is $0.40 per secret per month plus $0.05 per 10,000 API calls. Parameter Store's SecureString is suited for configuration values and secrets that don't need rotation. Standard parameters are free for up to 10,000 entries, and advanced parameters are paid but cheaper per secret than Secrets Manager. In practice, a common pattern is to use Secrets Manager with automatic rotation for RDS passwords and Parameter Store for environment variables and configuration values. The Azure equivalent is Azure Key Vault, which provides similar secret storage and rotation capabilities.

Practical Use Cases

The most important use of Secrets Manager is eliminating hard-coded credentials from source code. Applications call the Secrets Manager API at startup to retrieve secrets and use them in memory. In ECS task definitions, you can specify a Secrets Manager ARN as an environment variable value, and the secret is automatically injected when the container starts. Lambda can similarly reference Secrets Manager secrets as environment variables. In CloudFormation templates, dynamic references (resolve:secretsmanager:secret-id) let you securely reference secret values. For a systematic study of Secrets Manager from basics to advanced topics, books on Amazon are a great resource.

共有するXB!

Related Terms

AWS KMSAWS IAMAmazon RDS

Related Services

AWS KMSAWS Lambda

Related Articles

AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.AWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.

Similar Terms and Articles

AWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keysAWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSH