AWS Secrets Manager and Parameter Store

Applications need secrets — database passwords, API keys, OAuth tokens, encryption keys. Hardcoding these values in source code or configuration files is a serious security risk. AWS provides two services to manage secrets securely: AWS Secrets Manager and AWS Systems Manager Parameter Store.

---

The Problem with Hardcoded Secrets

Hardcoding secrets leads to multiple issues:

• Source code exposure — secrets committed to version control are accessible to anyone with repository access, and they persist in git history even after deletion.
• Difficult rotation — changing a hardcoded secret requires redeploying every application that uses it.
• No audit trail — you cannot track who accessed the secret or when.
• Environment coupling — the same secret value is often used across development, staging, and production, creating security risks.

Both Secrets Manager and Parameter Store solve these problems by externalising secrets from your application code.

---

AWS Secrets Manager

Secrets Manager is a purpose-built service for storing, retrieving, and automatically rotating secrets.

Key Features

Feature	Description
Encryption	All secrets are encrypted at rest using KMS
Automatic rotation	Built-in rotation for RDS, Redshift, and DocumentDB; custom Lambda rotation for others
Fine-grained access	IAM policies and resource-based policies control who can access each secret
Versioning	Secrets are versioned — you can access current and previous values
Cross-account access	Resource-based policies allow sharing secrets across AWS accounts
Audit	CloudTrail logs every API call — you know who accessed what and when

Storing a Secret

aws secretsmanager create-secret \
  --name production/database/password \
  --description "Production database master password" \
  --secret-string '{"username":"admin","password":"S3cur3P@ssw0rd!"}'

Retrieving a Secret

aws secretsmanager get-secret-value \
  --secret-id production/database/password

In application code (Node.js example):

const { SecretsManagerClient, GetSecretValueCommand } = require('@aws-sdk/client-secrets-manager');
const client = new SecretsManagerClient({ region: 'eu-west-2' });
const response = await client.send(new GetSecretValueCommand({ SecretId: 'production/database/password' }));
const secret = JSON.parse(response.SecretString);
console.log(secret.username); // "admin"

Automatic Rotation

Secrets Manager can automatically rotate secrets on a schedule (e.g., every 30 days). For RDS databases, the rotation is built-in — Secrets Manager:

1. Generates a new password.
2. Updates the database with the new password.
3. Updates the secret value in Secrets Manager.
4. Tests the new credentials to ensure they work.

For other secret types, you provide a custom Lambda function that handles the rotation logic.

Rotation Configuration

aws secretsmanager rotate-secret \
  --secret-id production/database/password \
  --rotation-lambda-arn arn:aws:lambda:eu-west-2:123456789012:function:RotateMySecret \
  --rotation-rules AutomaticallyAfterDays=30

---

AWS Systems Manager Parameter Store

Parameter Store is part of AWS Systems Manager and provides a hierarchical store for configuration data and secrets.

Key Features