AWS Secrets Manager Overview

Questions and Answers

Which of these options are NOT a method for storing and retrieving secrets using AWS Secrets Manager?

AWS Lambda (correct)

AWS CloudFormation

AWS SDK

AWS CLI

What is the primary benefit of using VPC endpoints for accessing Secrets Manager?

Reduced latency by caching secrets locally

Enhanced auditing and monitoring capabilities

Simplified access control for secrets

Improved security by keeping traffic within the AWS network (correct)

How does Secrets Manager enable auditing and monitoring of secrets?

By integrating with AWS logging, monitoring, and notification services (correct)

By providing a dedicated audit log for all secret operations

By using encryption to protect secrets from unauthorized access

By integrating with AWS IAM for access control

What is the purpose of client-side caching libraries for Secrets Manager?

To improve the availability and reduce the latency of using secrets Signup and view all the answers

What is the primary mechanism for retrieving secrets from Secrets Manager in applications?

Replacing plaintext secrets with code that programmatically pulls secrets using Secrets Manager APIs Signup and view all the answers

What is the primary purpose of AWS Secrets Manager?

To store and manage secrets needed to access applications and resources Signup and view all the answers

How do users and applications retrieve secrets from Secrets Manager?

With a call to Secrets Manager APIs Signup and view all the answers

What type of secrets does Secrets Manager offer built-in integration for?

Amazon RDS, Amazon Redshift, and Amazon DocumentDB Signup and view all the answers

How does Secrets Manager encrypt secrets at rest?

Using encryption keys that you own and store in AWS Key Management Service (KMS) Signup and view all the answers

What happens when you retrieve a secret from Secrets Manager?

The secret is decrypted and transmitted securely over TLS Signup and view all the answers

How can you control access to secrets in Secrets Manager?

Using fine-grained IAM policies Signup and view all the answers

How can you rotate secrets in Secrets Manager?

On a schedule or on demand Signup and view all the answers

What is the extension capability of Secrets Manager?

Extensible to other types of secrets Signup and view all the answers

Which feature of AWS Secrets Manager can help to improve the performance of applications retrieving secrets?

Client-side caching libraries Signup and view all the answers

What role do VPC endpoints play in the context of AWS Secrets Manager?

They keep traffic between your VPC and Secrets Manager within the AWS network. Signup and view all the answers

Which mechanism does AWS Secrets Manager use to facilitate programmatic retrieval of secrets in applications?

Secrets Manager APIs Signup and view all the answers

Which of the following does AWS Secrets Manager enable for monitoring and auditing secrets?

Integration with AWS logging and monitoring services Signup and view all the answers

Which component is essential for securely managing secrets in a cloud environment according to AWS Secrets Manager?

Centralized secret management and access control Signup and view all the answers

Which feature allows AWS Secrets Manager to support the rotation of secrets?

Scheduled or on-demand rotation functionality Signup and view all the answers

What type of encryption does AWS Secrets Manager use to secure secrets at rest?

Symmetric encryption with user-generated keys Signup and view all the answers

Which of the following statements about Secrets Manager's retrieval process is correct?

Secrets are decrypted and sent securely using TLS Signup and view all the answers

How does AWS Secrets Manager handle access control?

Using fine-grained IAM policies and resource-based policies Signup and view all the answers

Which APIs are used by users and applications to interact with AWS Secrets Manager?

Secrets Manager APIs Signup and view all the answers

Which service does AWS Secrets Manager provide built-in integration for when rotating secrets?

Amazon DocumentDB Signup and view all the answers

What can be done to extend the capabilities of AWS Secrets Manager for secret rotation?

Change sample Lambda functions Signup and view all the answers

What permissions are used to control access to individual secrets in AWS Secrets Manager?

Tag-based access controls Signup and view all the answers

Study Notes

Overview of AWS Secrets Manager

Protects application, service, and IT resource secrets
Facilitates the rotation, management, and retrieval of database credentials, API keys, and other sensitive information

Secret Retrieval and Security

Users/applications access secrets through Secrets Manager APIs, reducing the risk of hardcoded sensitive data
Secrets are encrypted at rest using AWS Key Management Service (KMS) encryption keys owned by the user
Upon retrieval, secrets are decrypted and transmitted securely over TLS

Secret Rotation and Management

Built-in integration for rotating secrets with Amazon RDS, Amazon Redshift, and Amazon DocumentDB
Supports secret rotation for other types such as API keys and OAuth tokens
Secrets can be rotated on a schedule or on demand through the Secrets Manager console, AWS SDK, or AWS CLI

Access Control

Fine-grained access control using AWS Identity and Access Management (IAM) policies and resource-based policies
Tagging enables individual access control for secrets

Extended Functionality

Can extend to rotate additional secrets via modified Lambda functions
Code samples for API calls available on the Secrets Manager Resources page

Infrastructure Integration

Supports AWS Virtual Private Cloud (VPC) endpoints to enhance security by keeping traffic within the AWS network
Client-side caching libraries improve availability and reduce latency when accessing secrets

Monitoring and Auditing

Integrates with AWS logging, monitoring, and notification services for auditing and monitoring of secrets
No persistent storage for secrets; ensures they are not cached or written to disk