6.3.1. Credential and Secret Management and Rotation
First Principle: Secrets must be stored centrally, accessed programmatically, rotated automatically, and audited continuously. Any secret that is hardcoded, shared manually, or never rotated is a breach waiting to happen.
AWS Secrets Manager:
- Stores credentials, API keys, tokens, and other secrets encrypted with KMS
- Automatic rotation for supported databases (RDS, Redshift, DocumentDB) using built-in Lambda functions
- Custom rotation for other secret types using custom Lambda functions
- Resource policies control who can access specific secrets
- Cross-account access via resource policies for shared infrastructure
- All access logged in CloudTrail for audit
Secrets Manager vs. SSM Parameter Store:
| Capability | Secrets Manager | Parameter Store (SecureString) |
|---|---|---|
| Built-in rotation | ✅ Yes (native for RDS) | ❌ No (must build custom) |
| Cost | $0.40/secret/month + API | Free tier available |
| Cross-Region replication | ✅ Yes | ❌ No |
| Max secret size | 64 KB | 8 KB (advanced) |
| Best for | Database credentials, API keys | Configuration values, feature flags |
Rotation Best Practices:
- Enable automatic rotation for all database credentials (30-90 day cycle)
- Use multi-user rotation strategy for zero-downtime credential rotation
- Test rotation in non-production environments first
- Monitor rotation failures via CloudWatch alarms
⚠️ Exam Trap: Secrets Manager has built-in rotation for RDS/Redshift/DocumentDB. Parameter Store does NOT have built-in rotation. If a question asks about automatic credential rotation, Secrets Manager is the answer.
Scenario: A web application uses hardcoded RDS credentials. You migrate to Secrets Manager with 30-day automatic rotation. The application retrieves the current password via API at connection time, automatically getting the latest rotated value.
Reflection Question: Why does automatic rotation fundamentally change the security economics of credential management, and what failure does the multi-user rotation strategy prevent?