Domain 2 of 4 · Chapter 3 of 3

Sensitive Data Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Developer - Associate premium course — no separate purchase.

Included in this chapter:

  • The model: externalize every secret, fetch it at runtime
  • Choosing the store: Secrets Manager vs Parameter Store
  • Rotation: managed engines, the custom Lambda, and fetch-per-use
  • Classification, log scrubbing, Macie, and exam-pattern recognition
CapabilitySecrets ManagerParameter Store (Standard)Parameter Store (Advanced)
KMS encryption at restYes (always)Yes, via SecureString typeYes, via SecureString type
Built-in rotationYes (managed for Aurora/RDS/DocumentDB/Redshift/ECS Service Connect; custom via Lambda)NoNo
Max value sizeUp to 64 KB4 KB8 KB
Cost$0.40 per secret/month + $0.05 per 10,000 API callsNo additional charge$0.05 per parameter/month + $0.05 per 10,000 API calls
Parameter policies (expiration/notification)N/ANot supportedSupported

Decision tree

Is the value secret?(password, key, token)NoYesLambda environmentvariablelog level, table names, flagsNeed built-in rotation?YesNoSecrets Managermanaged rotation (RDS/Aurora/DocumentDB/Redshift) or LambdaEncrypt at rest withKMS?YesNoParameter StoreSecureStringfree KMS storage, no rotationParameter StoreStringplaintext configNever: hard-code in code, config, or package

Cheat sheet

  • Never hard-code a secret: externalize it and fetch it at runtime by IAM role
  • Lambda env vars are encrypted at rest but are still the wrong home for credentials
  • Lambda's environment variables share a 4 KB total size cap
  • Reach for Secrets Manager when you need rotation or a value over 8 KB
  • Parameter Store SecureString gives KMS-encrypted storage with no per-secret charge
  • Advanced parameters add policies (including expiration) that Standard lacks
  • Use a String parameter or env var for non-secret config, not a per-secret store
  • Secrets Manager managed rotation needs no Lambda for its supported databases
  • Off the managed list, you supply a rotation Lambda implementing the four-step contract
  • Fetch the secret per use so the app picks up the rotated value
  • Classify data first so controls match its sensitivity
  • Scrub secrets and PII before they reach any log, metric, or trace
  • Use Amazon Macie to inventory PII in S3, and only in S3
  • Macie publishes findings to Security Hub directly, in ASFF format
  • Configuring a customer managed key on a Lambda function needs kms:CreateGrant and kms:Encrypt (plus kms:ListAliases for the console)
  • Deny kms:Decrypt on the function's CMK to hide Lambda env-var values while still allowing management
  • Lambda 'encryption helpers' add client-side encryption in transit and need kms:Decrypt at runtime
  • Use the alternating users rotation strategy for zero-downtime credential rotation
  • Cache secrets with the Secrets Manager client-side caching library, initialized outside the handler
  • A rotation Lambda in a no-internet VPC needs a Secrets Manager interface VPC endpoint
  • Reading a CMK-encrypted secret requires both secretsmanager:GetSecretValue and kms:Decrypt
  • Retrieving a SecureString parameter uses WithDecryption=true and needs kms:Decrypt on a CMK

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is AWS Secrets Manager?
  2. Working with Parameter Store
  3. AWS Secrets Manager pricing
  4. AWS Systems Manager pricing
  5. Managed rotation for AWS Secrets Manager secrets
  6. Working with Lambda environment variables
  7. What is Amazon Macie?
  8. Evaluating Macie findings with AWS Security Hub CSPM