Secrets Manager

avatar
Created by
Ivan

Subdecks (1)

Cards (31)

  • ECS can inject sensitive data into your containers as environment variables.
  • Use SSM Parameter Store or Secrets Manager to store sensitive data.
  • Reference sensitive data in the container definition when integrating ECS with SSM Parameter or Secrets Manager
  • AWS Secrets Manager is a newer service than Parameter Store, meant for storing secrets.
  • AWS Secrets Manager has the capability to force rotation of secrets every X days.
  • AWS Secrets Manager can automate generation of secrets on rotation, using Lambda.
  • AWS Secrets Manager has integration with Amazon RDS (MySQL, PostgreSQL, Aurora).
  • Secrets in AWS Secrets Manager are encrypted using KMS.
  • AWS Secrets Manager is mostly meant for RDS integration.
  • Secrets can be accessed by those with correct IAM permissions.
  • AWS Secrets Manager allows for multi-region secrets, with the ability to promote a read replica Secret to a standalone Secret.
  • Secrets Manager uses KMS to encrypt/decrypt every version of every Secret value.
  • Each Secret value in Secrets Manager is encrypted with a unique data key (Envelope Encryption).
  • Specify the KMS key or use an AWS Managed Key (aws/secretsmanager) in Secrets Manager.
  • Secrets Manager works only with Symmetric KMS Keys.
  • The encryption process takes place in Secrets Manager.
  • Secrets Manager can be integrated with ECS, with secrets being pulled from the ECS container definition and injected as environment variables.
  • Secrets Manager has the capability to automatically and periodically update a Secret, a process known as Secret Rotation.
  • Secrets Manager uses Lambda function to rotate Secrets.
  • When Enabling Secret Rotation, the Secret is rotated immediately.
  • Secrets Manager can be integrated with RDS, Redshift, DocumentDB, and other databases, with credentials being changed in the Secret and the database.
  • Secrets Manager has a Resource Policy feature, which allows for specifying who can access a Secret and what actions an IAM identity can perform.
  • Secrets in Secrets Manager can be shared between AWS accounts using a Resource Policy.
  • ECS can be integrated with SSM Parameter Store and Secrets Manager, to store sensitive data and referenced in the container definition.