Secrets Manager provides similar features to Systems Manager Parameter Store. It protects secrets (such as passwords, keys, and tokens) required to access other AWS resources
AWS Secrets Manager
Secrets Manager securely stores and rotate your credentials or other secrets.
- Secrets Manager automatically rotates secrets and can generate random secrets.
- Secrets Manager is used for database credentials, passwords, and API keys.
- You can replace hard-coded credentials in your code (including passwords), with an API call to Secrets Manager to retrieve the secret programmatically – encrypted in transit -.
- Secrets Manager applies a new key/password in RDS automatically. You can use Lambda to change the keys for other services.
- Key Rotation is easy.
- Key rotation is done via a Lambda function.
Multi-Region Replicas
You can create a read replica of the secrets in a different region.
- Secrets Manager keeps read replicas in sync with the Primary.
- Read Replicas can be promoted to the Primary.
- Use Cases
- Multi-region applications or DBs
- Disaster recovery
Key Rotation
- When secret rotation is configured in Secrets Manager, it causes the secret to rotate once as soon as you store the secret.
- This can lead to a situation where the old secrets are not usable anymore after the initial rotation.
Parameter Store vs. Secrets Manager
AWS Systems Manager provides the Parameter Store, secure and hierarchical storage.
- Both services can be accessible in CloudFormation.
| Secrets Manager | Parameter Store | |
|---|---|---|
| Use Cases | specifically for confidential information | passwords, host names, product keys, or other configuration variables |
| Key Rotation | It offers the ability to rotate the secrets | No rotation |
| Cross-Account Access | It allows cross-account access. Secrets can be access from another AWS account with a proper role. | Not supported |
| Encryption | Yes (KMS) | Yes (KMS) |
| CloudFormation Integration | Yes | Yes |
| Versioning | Yes | Yes |
Scriptorium 