Domain 5 of 6 · Chapter 3 of 3

Secrets & Key Material

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • Secrets Manager vs Parameter Store, and how rotation works
  • Cross-account secrets and the KMS key it rides on
  • KMS key material: AWS-generated, imported, external, and multi-Region
  • Certificates and masking sensitive data in logs

Where each kind of sensitive material belongs

CapabilitySecrets ManagerParameter Store SecureStringAWS KMS keyACM / Private CA
Primary purposeStore + rotate credentialsStore config / static secretGenerate + hold crypto keysIssue TLS certificates
Built-in rotationYes, scheduled (managed or Lambda)NoAuto-rotate symmetric AWS_KMS keys (365-day default, configurable)ACM auto-renews public certs
Cross-account sharingResource policy + KMS key policyAdvanced tier onlyKey policy / grant to other accountPrivate CA can share via RAM
EncryptionAlways KMS-encryptedKMS-encrypted (SecureString)Is the key serviceManages cert + private key
Cost shapePer secret/month + per API callFree (standard tier)Per key/month + per requestACM public free; Private CA per CA/month

Decision tree

What kind of material?secret, cert, or keycredentialTLS certencryption keyMust rotate orshare cross-account?YesNoSecrets Managerscheduled rotationParameter StoreSecureString, free tierPublic endpoint orinternal PKI?publicinternalACM public certfree, auto-renewAWS Private CAper CA per monthKey material muststay outside AWS?NoYesKMS managed keyAWS_KMS, auto-rotateExternal key storeXKS, or BYOK importAlways: encrypt with KMS, scope access by policy, and mask secrets out of logs

Cheat sheet

  • Use Secrets Manager when the value must rotate, share cross-account, or be tightly audited
  • A Parameter Store SecureString is KMS-encrypted but never rotates
  • Secrets Manager managed rotation needs no Lambda; everything else does
  • Secrets Manager rotation runs a four-step contract that flips a label atomically
  • Choose alternating-users rotation for always-on workloads, single-user for reconnect-tolerant ones
  • Cross-account secret access needs both a secret resource policy and KMS decrypt permission
  • The default aws/secretsmanager key cannot be shared across accounts
  • A KMS grant is additive only and targets exactly one key and one grantee
  • Only symmetric KMS keys with AWS-generated material can auto-rotate
  • Key rotation keeps the same key ID and decrypts old ciphertext with old material
  • AWS-managed keys rotate yearly automatically and you cannot change it
  • Imported key material cannot auto-rotate and can be set to expire
  • External key stores keep key material outside AWS behind an XKS proxy with double encryption
  • Custom key stores (XKS and CloudHSM) drop rotation, asymmetric, HMAC, imported, and multi-Region
  • Multi-Region keys share one key ID and material, so ciphertext decrypts in any Region
  • You cannot convert a single-Region key to multi-Region, and most services treat MRKs as single-Region
  • ACM public certificates are free and auto-renewed but cannot be exported
  • Use AWS Private CA when you must own the internal trust chain
  • Mask secrets in logs with CloudWatch Logs data protection and managed data identifiers
  • CloudWatch Logs data protection emits a findings metric and can ship audit findings
  • Do not build new masking on SNS message data protection; it is closed to new customers
  • AWS Private CA is Regional, so deploy a subordinate CA per Region and share each via RAM
  • Use AWS Private CA short-lived certificate mode for cheap, rapidly-rotated mTLS certs
  • Issue Private CA certs on EKS via the connector with IRSA and the EndEntity template
  • Enable OCSP on a Private CA for near-real-time, low-latency revocation
  • Constrain key rotation periods with the kms:RotationPeriodInDays condition key
  • Multi-Region keys with imported material must have the same material imported into each replica
  • A KMS import token and wrapping key are a 24-hour matched pair
  • Cross-account KMS key use needs both the key policy and an IAM policy in the caller account
  • Share encrypted EBS snapshots by sharing the CMK, then copy to re-encrypt with the target key
  • kms:GrantIsForAWSResource and service-linked roles for CMK use on a caller's behalf
  • ECS task execution role injects secrets at startup, and rotated secrets need a new deployment
  • SNS and CloudWatch Logs data protection policies cap custom data identifiers at 10
  • Use Comprehend ContainsPiiEntities as a cheap pre-filter before DetectPiiEntities
  • Firehose transform Lambdas return Ok, Dropped, or ProcessingFailed per record
  • Choose CloudHSM for sole custody, not for a bare FIPS 140-3 Level 3 requirement
  • Front CloudHSM with a KMS custom key store to keep native service integration

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is AWS Secrets Manager?
  2. AWS Systems Manager Parameter Store
  3. Managed rotation for AWS Secrets Manager secrets
  4. Rotate AWS KMS keys
  5. Importing key material for AWS KMS keys
  6. External key stores in AWS KMS
  7. Multi-Region keys in AWS KMS
  8. What is AWS Certificate Manager?
  9. Help protect sensitive log data with masking (CloudWatch Logs data protection)