AWS Secrets Manager Overview

Questions and Answers

Which of these options are NOT a method for storing and retrieving secrets using AWS Secrets Manager?

AWS Lambda (correct)

AWS CloudFormation

AWS SDK

AWS CLI

What is the primary benefit of using VPC endpoints for accessing Secrets Manager?

Reduced latency by caching secrets locally

Enhanced auditing and monitoring capabilities

Simplified access control for secrets

Improved security by keeping traffic within the AWS network (correct)

How does Secrets Manager enable auditing and monitoring of secrets?

By integrating with AWS logging, monitoring, and notification services (correct)

By providing a dedicated audit log for all secret operations

By using encryption to protect secrets from unauthorized access

By integrating with AWS IAM for access control

What is the purpose of client-side caching libraries for Secrets Manager?

To improve the availability and reduce the latency of using secrets

What is the primary mechanism for retrieving secrets from Secrets Manager in applications?

Replacing plaintext secrets with code that programmatically pulls secrets using Secrets Manager APIs

What is the primary purpose of AWS Secrets Manager?

To store and manage secrets needed to access applications and resources

How do users and applications retrieve secrets from Secrets Manager?

With a call to Secrets Manager APIs

What type of secrets does Secrets Manager offer built-in integration for?

Amazon RDS, Amazon Redshift, and Amazon DocumentDB

How does Secrets Manager encrypt secrets at rest?

Using encryption keys that you own and store in AWS Key Management Service (KMS)

What happens when you retrieve a secret from Secrets Manager?

The secret is decrypted and transmitted securely over TLS

How can you control access to secrets in Secrets Manager?

Using fine-grained IAM policies

How can you rotate secrets in Secrets Manager?

On a schedule or on demand

What is the extension capability of Secrets Manager?

Extensible to other types of secrets

Which feature of AWS Secrets Manager can help to improve the performance of applications retrieving secrets?

Client-side caching libraries

What role do VPC endpoints play in the context of AWS Secrets Manager?

They keep traffic between your VPC and Secrets Manager within the AWS network.

Which mechanism does AWS Secrets Manager use to facilitate programmatic retrieval of secrets in applications?

Secrets Manager APIs

Which of the following does AWS Secrets Manager enable for monitoring and auditing secrets?

Integration with AWS logging and monitoring services

Which component is essential for securely managing secrets in a cloud environment according to AWS Secrets Manager?

Centralized secret management and access control

Which feature allows AWS Secrets Manager to support the rotation of secrets?

Scheduled or on-demand rotation functionality

What type of encryption does AWS Secrets Manager use to secure secrets at rest?

Symmetric encryption with user-generated keys

Which of the following statements about Secrets Manager's retrieval process is correct?

Secrets are decrypted and sent securely using TLS

How does AWS Secrets Manager handle access control?

Using fine-grained IAM policies and resource-based policies

Which APIs are used by users and applications to interact with AWS Secrets Manager?

Secrets Manager APIs

Which service does AWS Secrets Manager provide built-in integration for when rotating secrets?

Amazon DocumentDB

What can be done to extend the capabilities of AWS Secrets Manager for secret rotation?

Change sample Lambda functions

What permissions are used to control access to individual secrets in AWS Secrets Manager?

Tag-based access controls

Study Notes

Overview of AWS Secrets Manager

• Protects application, service, and IT resource secrets
• Facilitates the rotation, management, and retrieval of database credentials, API keys, and other sensitive information

Secret Retrieval and Security

• Users/applications access secrets through Secrets Manager APIs, reducing the risk of hardcoded sensitive data
• Secrets are encrypted at rest using AWS Key Management Service (KMS) encryption keys owned by the user
• Upon retrieval, secrets are decrypted and transmitted securely over TLS

Secret Rotation and Management

• Built-in integration for rotating secrets with Amazon RDS, Amazon Redshift, and Amazon DocumentDB
• Supports secret rotation for other types such as API keys and OAuth tokens
• Secrets can be rotated on a schedule or on demand through the Secrets Manager console, AWS SDK, or AWS CLI

Access Control

• Fine-grained access control using AWS Identity and Access Management (IAM) policies and resource-based policies
• Tagging enables individual access control for secrets

Extended Functionality

• Can extend to rotate additional secrets via modified Lambda functions
• Code samples for API calls available on the Secrets Manager Resources page

Infrastructure Integration

• Supports AWS Virtual Private Cloud (VPC) endpoints to enhance security by keeping traffic within the AWS network
• Client-side caching libraries improve availability and reduce latency when accessing secrets

Monitoring and Auditing

• Integrates with AWS logging, monitoring, and notification services for auditing and monitoring of secrets
• No persistent storage for secrets; ensures they are not cached or written to disk

AWS Secrets Manager Overview

• Protects secrets necessary for accessing applications, services, and IT resources.
• Facilitates rotation, management, and retrieval of secrets like database credentials and API keys.

Secret Management

• Secrets are retrieved via Secrets Manager APIs, removing the need for hardcoding sensitive information in applications.
• Built-in secret rotation supports Amazon RDS, Amazon Redshift, and Amazon DocumentDB, extendable to other secrets.

Access Control and Security

• Fine-grained permissions control access to secrets, supported by AWS Identity and Access Management (IAM) policies and resource-based policies.
• Secrets are encrypted at rest with keys stored in AWS Key Management Service (KMS) and transmitted securely over TLS.
• Secrets Manager does not cache or write secrets to persistent storage.

Secret Rotation

• Secrets can be rotated on a schedule or on demand using the Secrets Manager console, AWS SDK, or AWS CLI.
• For database password rotation, specify the database type, rotation frequency, and master credentials.
• Natively supports credential rotation for databases hosted on Amazon RDS, Amazon DocumentDB, and Amazon Redshift.
• Extensibility allows modification of sample Lambda functions for rotating other types of secrets.

Integration and Retrieval

• Secrets can be stored and retrieved via AWS Secrets Manager console, AWS SDK, AWS CLI, or AWS CloudFormation.
• Applications can programmatically pull secrets using Secrets Manager APIs, replacing plaintext secrets.

Optimization and Caching

• Amazon Virtual Private Cloud (VPC) endpoints can be configured to keep traffic between VPC and Secrets Manager within AWS infrastructure.
• Client-side caching libraries optimize availability and reduce latency for secret usage.

Auditing and Monitoring

• Integration with AWS logging, monitoring, and notification services enables auditing and monitoring of secrets effectively.

Description

Learn about AWS Secrets Manager, a service that protects and manages sensitive information such as database credentials and API keys, facilitating secure access and rotation. Discover how it reduces the risk of hardcoded sensitive data and ensures encryption at rest.