AWS Secrets Manager

⬢ TIER 2Tech

High

Salary impact

2 months

Time to learn

Medium

Difficulty

—

Careers

At a glance

AWS Secrets Manager is the managed secrets service for high-rotation, high-risk credentials: database passwords, API keys, OAuth tokens, SSH keys. Key differentiation vs Parameter Store: automatic rotation (database password changes every 30 days), multi-region replication, immediate secret revocation on breach. Integrates with AWS Lambda for custom rotation logic. Use Secrets Manager for secrets that rotate frequently (databases, API tokens), Parameter Store for static config. Why it matters: automatic rotation reduces exposure window, meets compliance (HIPAA, SOC2, PCI-DSS), prevents credential sprawl. Salary impact: teams using proper secret rotation ($300/month Secrets Manager) avoid breaches costing millions. Learning path: 3 days basics (create/rotate secrets), 1 week intermediate (Lambda rotation, replication), 1 month production (audit, compliance, cost optimization).

What is AWS Secrets Manager

AWS Secrets Manager is a managed service for storing, rotating, and managing secrets, database passwords, API keys, OAuth tokens, SSH keys. Unlike Secrets Parameter Store (which is static), Secrets Manager is designed for high-rotation, high-risk credentials that change frequently. Core capability: automatic rotation. Schedule a Lambda function to run every 30 days (or on demand), generate a new password, update the target database/service, and store the new secret in Secrets Manager. Applications always read the current version. Old versions kept for rollback.

🔧 TOOLS & ECOSYSTEM

AWS Secrets ManagerAWS LambdaAWS RDSboto3AWS CLIAWS KMSCloudTrailEventBridge

📋 Before you start

Cloud Security Aws Lambda

💰 Salary by region

Region	Junior	Mid	Senior
USA	$85k	$130k	$190k
UK	£50k	£80k	£125k
EU	€55k	€85k	€135k
CANADA	C$90k	C$125k	C$180k

🎓 Certifications

AWS Certified Security, Specialty AWS Certified Developer, Associate AWS Certified Solutions Architect, Associate

⚖ Compare with

Aws Ssm Parameter Store Cloud Security Hashicorp Vault

❓ FAQ

Should I use Secrets Manager or Parameter Store?

Secrets Manager: high-rotation secrets (DB password, API keys that change weekly). Parameter Store: config, feature flags, static API keys. Hybrid: use both. Secrets Manager costs $0.40/secret/month; Parameter Store is free. For 10 secrets, Secrets Manager = $5/month (worth it for rotation automation).

How does automatic rotation work?

Secrets Manager invokes a Lambda function on schedule (every 30 days by default). Lambda: reads old secret, generates new password, updates database/service, stores new secret in Secrets Manager. On success, Secrets Manager marks secret as rotated; old versions kept for rollback.

Can I replicate secrets across regions?

Yes. Secrets Manager auto-replicates to secondary regions (read-only by default). On primary region failure, promote secondary. Enables disaster recovery for secrets. Replication cost: $0.40/secret/month per region.

What happens when a secret is breached?

Use RotateSecretImmediate to rotate immediately (don't wait 30 days). Lambda runs rotation logic, generates new password, updates target. Old versions kept in history for debugging. Combined with EventBridge alerts, enables instant response.

How do I prevent an application from reading an old secret after rotation?

Secrets Manager returns the current version by default. Store version ID in application config only if needed for specific versions. Application should always GetSecretValue (current version). Old versions archived in history.

Can Secrets Manager rotate non-AWS services (third-party APIs)?

Yes, via custom Lambda rotation functions. For AWS RDS/Redshift/DocumentDB, use built-in rotation templates. For third-party (Stripe, Twilio, Salesforce), write a Lambda that rotates via their API. More setup, but fully supported.

Is there a free tier for Secrets Manager?

No. Charges: $0.40/secret/month + $0.06 per 10k API calls (first 100k free per month). Parameter Store is cheaper for most teams. Secrets Manager justified only if you have 5+ secrets needing rotation.