AWS Secrets Manager & SSM (DVA-C02) – Bare Essentials


1. AWS Secrets Manager

Purpose

Store and manage sensitive information such as: - Database passwords - API keys - OAuth tokens - Certificates

Secrets are encrypted using AWS KMS.


2. AWS Systems Manager (SSM) Parameter Store

Purpose

Store application configuration values.

Examples: - API endpoints - Feature flags - Environment names - Database hostnames - Configuration values

Can also store secrets, but Secrets Manager is preferred for secret rotation.


3. Parameter Store Types

String

Examples: - https://api.example.com - DEV - FeatureEnabled=true

Exam Tip

Non-sensitive configuration → String


SecureString

Examples: - Passwords - API keys - Tokens

Exam Tip

Sensitive value → SecureString


Standard vs Advanced Parameters

Standard

Advanced

Exam Tip

Small normal config → Standard


4. Secrets Manager vs Parameter Store

Secrets Manager Parameter Store
Secrets Configuration
Automatic rotation No automatic rotation
Built for passwords/API keys Built for application settings
More expensive Mostly free (Standard)

Remember

Secrets → Secrets Manager

Configuration → Parameter Store


5. Automatic Secret Rotation

Secrets Manager can automatically: - Generate a new password - Update the database - Store the new password

Applications must retrieve the latest secret.


6. Secret Caching Problem

Very common exam question.

If your application:

After rotation:

Old password ❌

Database expects:

New password ✅

Authentication fails.

Fix

Retrieve the latest secret from Secrets Manager (or refresh the cache).

Exam Tip

Rotation succeeds but login fails → Application is using a cached old secret.


7. Cross-Account Secret Access

Very common DVA question.

Suppose:

Account A - Lambda

Account B - Secret

For access to work you need TWO permissions.

1. IAM policy (Caller)

Lambda execution role needs:

2. Resource Policy (Secret)

The secret itself must allow Account A.

Exactly like S3 bucket policies.

Exam Tip

Cross-account Secrets Manager always requires:

Both are required.


8. Resource-Based Policies

Secrets Manager supports resource policies.

Used for: - Cross-account access - Granting specific principals access

Without the resource policy:

Access is denied.


9. KMS and Secrets

Secrets Manager encrypts secrets with KMS.

SecureString in Parameter Store also uses KMS.

Plain String parameters are not encrypted.


10. Which Service Should You Use?

Password

Secrets Manager

API Key

Secrets Manager

OAuth Token

Secrets Manager

Database Password

Secrets Manager

API Endpoint

Parameter Store String

Feature Flag

Parameter Store String

Region Name

Parameter Store String

Environment Name

Parameter Store String


Exam Cheat Sheet

Store secrets?

✅ Secrets Manager


Store configuration?

✅ Parameter Store


Non-sensitive config?

✅ String parameter


Sensitive config?

✅ SecureString


Need automatic password rotation?

✅ Secrets Manager


Rotation completed but app can't log in?

✅ Application is using a cached old secret


Cross-account secret access?

Need BOTH:


Standard Parameter


Advanced Parameter


5-Second Memory Tricks