Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.1.4. Managing Build & Deployment Secrets (Secrets Manager, Parameter Store)

First Principle: Avoiding hardcoding secrets and instead using dedicated, secure services for their storage and retrieval enhances the security posture of your CI/CD pipelines.

Securely managing sensitive information like API keys, database credentials, and tokens during build and deployment processes is critical. This adheres to the principle of least privilege.

  • AWS Secrets Manager: (A service that helps you protect access to your applications, services, and IT resources.) Protects access to applications, services, and IT resources. It enables easy rotation, management, and retrieval of database credentials, API keys, and other secrets throughout their lifecycle. Integrates directly with AWS CodeBuild and AWS CodeDeploy.
  • AWS Systems Manager Parameter Store: (Provides secure, hierarchical storage for configuration data and secrets management.) You can store data such as passwords, database strings, and license codes as parameter values. It's suitable for non-rotating secrets or configuration data.
Key Secret Management Services:

Scenario: A CI/CD pipeline needs to access a database during the build and deployment stages. The database credentials are sensitive and should not be stored in the source code or buildspec.yml file.

Reflection Question: How would you use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely manage and retrieve these database credentials during pipeline execution, adhering to the principle of least privilege?

Both services allow you to retrieve secrets programmatically during pipeline execution, ensuring sensitive data is never exposed in plain text in your code repositories.

šŸ’” Tip: Use Secrets Manager for secrets that require automatic rotation. Use Parameter Store for configuration data or secrets that don't require frequent rotation. Always grant least privilege access to these services.