Master AWS Certified Developer – Associate (DVA-C02) Exam/

...

/

Secrets and Configuration Management

Secrets and Configuration Management

Learn how to manage passwords and configuration using AWS Secrets Manager, System Manager, and AppConfig.

We'll cover the following...

Configuration values such as database passwords or third-party API tokens are often critical to application functionality. In cloud applications, configuration data and application secrets such as API keys, passwords, database connection strings, and third-party tokens require secure handling. Embedding these values directly into source code or deployment artifacts can lead to serious security breaches.

AWS offers services and patterns that allow us to isolate and manage secrets securely while enforcing least-privilege access and full auditability. These services include:

  • Secrets Manager

  • Parameter Store

  • AppConfig

Before selecting a service, it’s important to consider the nature of the data we’re handling, whether it’s personally identifiable information (PII), credentials, or general configuration settings.

Let’s learn about these tools to understand how they work and when to use each.

Managing secrets with AWS Secrets Manager

AWS Secrets Manager is a fully managed AWS service designed to manage highly sensitive values like database credentials, API keys, and OAuth tokens.

Press + to interact

Secrets are always stored encrypted using AWS KMS and retrieved via secure API calls through the AWS SDK or CLI. This means every API call is recorded by AWS CloudTrail, which allows us to see exactly who or which service accessed a specific secret and when, which is critical for security investigations and compliance.

Here is a basic Python example using Boto3 to retrieve a secret:

Press + to interact
import boto3
import json
def get_secret():
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId='mySecretId')
    secret = json.loads(response['SecretString'])
    return secret['username'], secret['password']

A key advantage of Secrets Manager is its native support for automatic secret rotation for supported services, such as Amazon RDS. This reduces the operational burden of manually rotating credentials and helps maintain compliance.

Every time a secret is updated, Secrets Manager creates a new version. To manage these versions safely, it uses staging labels. The AWSCURRENT label always points to the active, in-use version of the secret. During a rotation, a new ...