0PricingLogin
AWS Solutions Architect · Lesson

Secrets Manager and Parameter Store

Rotate database credentials automatically with Secrets Manager, store non-secret configuration in Parameter Store, and integrate both with Lambda and ECS.

The Problem of Secrets in Code

A common and dangerous anti-pattern is storing secrets (database passwords, API keys, OAuth tokens) in application source code, environment variables, or configuration files checked into version control. When these repositories are exposed — accidentally made public, or accessed by an attacker — all secrets are compromised immediately. AWS provides two managed services to eliminate this problem: AWS Secrets Manager for credentials that need automatic rotation, and AWS Systems Manager Parameter Store for configuration values and non-rotating secrets.

# Anti-pattern: secrets in code (NEVER do this)
# db_password = 'supersecret123'
# api_key = 'sk-abc123def456'

# Best practice: retrieve at runtime
import boto3

client = boto3.client('secretsmanager', region_name='us-east-1')
response = client.get_secret_value(SecretId='prod/myapp/db-password')
password = response['SecretString']  # fresh value, always current

AWS Secrets Manager Overview

AWS Secrets Manager is a managed service for storing, retrieving, and automatically rotating secrets. It encrypts all secrets with KMS (by default using an AWS managed key, or your CMK). Secrets can store any structured data as a key-value JSON string. Secrets Manager charges $0.40/secret/month plus $0.05 per 10,000 API calls. Key differentiator from Parameter Store: built-in automatic rotation for RDS, Redshift, DocumentDB, and custom secrets via Lambda rotation functions — no application changes needed during rotation.

# Create a secret in Secrets Manager
aws secretsmanager create-secret \
  --name 'prod/myapp/database' \
  --description 'Production MySQL credentials' \
  --secret-string '{"username":"admin","password":"changeme123","host":"mydb.rds.amazonaws.com","port":3306,"dbname":"orders"}'

# Retrieve the secret (by application)
aws secretsmanager get-secret-value \
  --secret-id 'prod/myapp/database' \
  --query 'SecretString' \
  --output text | python3 -c 'import sys,json; s=json.load(sys.stdin); print(s["password"])'

All lessons in this course

  1. KMS, ACM, and Encryption Patterns
  2. GuardDuty, Inspector, and Macie
  3. Secrets Manager and Parameter Store
  4. WAF, Shield, and Network Firewall
← Back to AWS Solutions Architect