Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.1.4. Managing Build & Deployment Secrets (Secrets Manager, Parameter Store)

2.1.1.4. Managing Build & Deployment Secrets (Secrets Manager, Parameter Store)

Loading diagram...

Hardcoded secrets in source code are the #1 cause of credential leaks — and they end up in Git history forever. AWS provides two services for secret management, and the exam heavily tests when to use each.

AWS Secrets Manager stores and automatically rotates database credentials, API keys, and OAuth tokens. Rotation uses a Lambda function that updates both the secret value and the target service (e.g., rotating an RDS password updates both Secrets Manager and the database). Secrets Manager costs $0.40/secret/month.

AWS Systems Manager Parameter Store stores configuration values and secrets in a hierarchy (e.g., /prod/db/password). Standard parameters are free (up to 10,000), and the SecureString type encrypts values with KMS. Parameter Store does not support automatic rotation — you must build your own rotation logic.

Accessing secrets in CodeBuild:
env:
  secrets-manager:
    DB_PASS: prod/mydb:password    # Secrets Manager
  parameter-store:
    API_URL: /prod/api/endpoint     # Parameter Store
Accessing secrets in CloudFormation:
Resources:
  MyDB:
    Type: AWS::RDS::DBInstance
    Properties:
      MasterUserPassword: '{{resolve:secretsmanager:prod/mydb:SecretString:password}}'

Exam Trap: Both services integrate with KMS, but the default encryption differs. Secrets Manager always encrypts (using aws/secretsmanager key by default). Parameter Store SecureString requires explicit KMS key specification — a String type parameter stores values in plaintext.

Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications