Secrets & Key Material
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- Secrets Manager vs Parameter Store, and how rotation works
- Cross-account secrets and the KMS key it rides on
- KMS key material: AWS-generated, imported, external, and multi-Region
- Certificates and masking sensitive data in logs
Where each kind of sensitive material belongs
| Capability | Secrets Manager | Parameter Store SecureString | AWS KMS key | ACM / Private CA |
|---|---|---|---|---|
| Primary purpose | Store + rotate credentials | Store config / static secret | Generate + hold crypto keys | Issue TLS certificates |
| Built-in rotation | Yes, scheduled (managed or Lambda) | No | Auto-rotate symmetric AWS_KMS keys (365-day default, configurable) | ACM auto-renews public certs |
| Cross-account sharing | Resource policy + KMS key policy | Advanced tier only | Key policy / grant to other account | Private CA can share via RAM |
| Encryption | Always KMS-encrypted | KMS-encrypted (SecureString) | Is the key service | Manages cert + private key |
| Cost shape | Per secret/month + per API call | Free (standard tier) | Per key/month + per request | ACM public free; Private CA per CA/month |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- What is AWS Secrets Manager?
- AWS Systems Manager Parameter Store
- Managed rotation for AWS Secrets Manager secrets
- Rotate AWS KMS keys
- Importing key material for AWS KMS keys
- External key stores in AWS KMS
- Multi-Region keys in AWS KMS
- What is AWS Certificate Manager?
- Help protect sensitive log data with masking (CloudWatch Logs data protection)