AWS Secrets Manager and Parameter Store

1. AWS Secrets Manager and Parameter Store

Welcome back! In this video, you'll learn why you should never hardcode secrets, how to use AWS Secrets Manager for automatic credential rotation, and when to use Parameter Store for configuration management. Let's dive in.

2. The hardcoded password disaster

A developer hardcoded a database password in Python code and pushed it to GitHub. Within 12 minutes, an automated bot found it, accessed the database, and wiped everything. The ransom was $50,000 in Bitcoin. Hardcoded secrets are security disasters. The solution is to use AWS Secrets Manager and Parameter Store store secrets securely, encrypt with KMS, and enable automatic rotation.

3. Why never hardcode secrets

Never hardcode secrets in source code, config files, or environment variables. Once committed to version control, secrets are nearly impossible to remove completely: they remain in Git history. Hardcoded secrets can't be rotated without code changes and deployments. You have no audit trail of who accessed them. Use dedicated secret management services instead.

4. AWS Secrets Manager overview

Secrets Manager's purpose is to store and rotate credentials automatically. What should you store? Database passwords, API keys, and OAuth tokens. The key features are automatic rotation so passwords update without manual work, KMS encryption to protect secrets at rest, and audit logging through CloudTrail so you know who accessed what and when.

5. Secrets Manager automatic rotation

Automatic rotation uses a Lambda function to create a new password, update the database, and update the secret. You configure a rotation window - similar to a maintenance window: using rate expressions like every 30 days or cron expressions for specific times. During rotation, both old and new passwords work - zero downtime. AWS provides pre-built rotation functions for RDS, Aurora, DocumentDB, and Redshift.

6. Storing secrets in JSON format

Store database credentials as JSON with username, password, host, and port in one secret. This keeps related values together and simplifies retrieval. Your application calls GetSecretValue API, boto3 in Python, parses the JSON, and extracts the values. This is more maintainable than separate secrets for each credential component.

7. Parameter Store overview

Parameter Store is part of Systems Manager, perfect for configuration data and static secrets without rotation. Organize parameters hierarchically like a file system: /app/prod/db/password, /app/dev/api-key. SecureString parameters are encrypted with KMS. The big advantage is that it's free for up to 10,000 standard parameters with 4 KB max size. Advanced parameters support 8 KB but incur costs.

8. Parameter Store parameter types

Parameter Store has three types. String for plain text like feature flags or endpoints. StringList for comma-separated values like allowed IP addresses. SecureString for sensitive data - encrypted with KMS at rest. Always use SecureString for passwords, API keys, and any sensitive configuration. Standard parameters support up to 4KB, advanced parameters up to 8KB.

9. Secrets Manager vs Parameter Store decision guide

Use Secrets Manager for database credentials needing rotation: worth $0.40 monthly. Use Parameter Store for static configuration, feature flags, and non-rotating secrets: it's free. Many applications use both: Secrets Manager for rotating database credentials, Parameter Store for everything else. Choose based on rotation needs and budget.

10. Let's practice!

Now it's time to practice. Complete the exercises to master secret management with AWS Secrets Manager and Parameter Store.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.