6.3.1. Credential and Secret Management and Rotation

First Principle: Secrets must be stored centrally, accessed programmatically, rotated automatically, and audited continuously. Any secret that is hardcoded, shared manually, or never rotated is a breach waiting to happen.

AWS Secrets Manager:

• Stores credentials, API keys, tokens, and other secrets encrypted with KMS
• Automatic rotation for supported databases (RDS, Redshift, DocumentDB) using built-in Lambda functions
• Custom rotation for other secret types using custom Lambda functions
• Resource policies control who can access specific secrets
• Cross-account access via resource policies for shared infrastructure
• All access logged in CloudTrail for audit

Secrets Manager vs. SSM Parameter Store:

Rotation Best Practices:

• Enable automatic rotation for all database credentials (30-90 day cycle)
• Use multi-user rotation strategy for zero-downtime credential rotation
• Test rotation in non-production environments first
• Monitor rotation failures via CloudWatch alarms

⚠️ Exam Trap: Secrets Manager has built-in rotation for RDS/Redshift/DocumentDB. Parameter Store does NOT have built-in rotation. If a question asks about automatic credential rotation, Secrets Manager is the answer.

Scenario: A web application uses hardcoded RDS credentials. You migrate to Secrets Manager with 30-day automatic rotation. The application retrieves the current password via API at connection time, automatically getting the latest rotated value.

Reflection Question: Why does automatic rotation fundamentally change the security economics of credential management, and what failure does the multi-user rotation strategy prevent?