This chapter covers AWS Secrets Manager, a fully managed service for securely storing, retrieving, and rotating secrets such as database credentials, API keys, and OAuth tokens. For the CLF-C02 exam, this topic falls under Domain 2: Security and Compliance, Objective 2.3: 'Explain the benefits of using AWS Secrets Manager.' This objective typically appears in 5-10% of exam questions, often in comparison with AWS Systems Manager Parameter Store. By the end of this chapter, you will understand the core features, use cases, and exam-critical distinctions.
Jump to a section
Imagine you run a hotel. Each guest has valuables they want to keep safe—passports, jewelry, cash. You don't want to be responsible for storing them yourself, because that would require a massive safe, strict access logs, and liability if anything goes missing. Instead, you provide each guest with a safety deposit box in a secure vault. The guest creates their own combination (secret). You, the hotel, never know the combination. The box is automatically locked when closed. If a guest forgets their combination, you can reset it, but only after verifying their identity. You can also set an expiration on the box—after checkout, it auto-locks permanently. AWS Secrets Manager works the same way: you store secrets (like database passwords, API keys) in encrypted 'boxes' (secret versions). AWS never stores the plaintext secret in logs or memory. You control access via IAM policies (who can open which box). Secrets can have automatic rotation (like changing the combination periodically). You can retrieve secrets via API without exposing them in code. The vault is KMS (Key Management Service) which encrypts each secret with a unique key. The hotel analogy breaks down in one key way: AWS Secrets Manager can automatically rotate secrets for supported services (like RDS, Redshift) by updating both the secret and the target service—like having a robotic concierge that changes the combination and updates the guest's keycard simultaneously.
What is AWS Secrets Manager and What Problem Does It Solve?
AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources by enabling you to rotate, manage, and retrieve secrets throughout their lifecycle. A 'secret' can be database credentials, on-premises resource credentials, API keys, SSH keys, or any other sensitive information that you need to keep confidential.
The core problem Secrets Manager solves is the insecure practice of hardcoding secrets in application code, configuration files, or environment variables. Hardcoded secrets are vulnerable to exposure through source code repositories, logs, or debugging tools. Additionally, rotating secrets manually is error-prone and can lead to application downtime if not coordinated properly. Secrets Manager provides a centralized, auditable, and automated way to manage secrets with built-in encryption and rotation capabilities.
How It Works — Walk Through the Mechanism
Secrets Manager stores secrets as encrypted blobs. When you create a secret, you provide the plaintext secret value (or Secrets Manager can generate a random password for you). Secrets Manager encrypts the secret using AWS Key Management Service (KMS) with a customer master key (CMK) that you can either let Secrets Manager create (the default aws/secretsmanager key) or use your own customer-managed CMK. The encrypted secret is stored in multiple Availability Zones for durability.
To retrieve a secret, your application calls the GetSecretValue API. The request must be authenticated and authorized via IAM policies. Secrets Manager decrypts the secret using the KMS key and returns the plaintext value over a TLS-protected connection. The secret is never logged or stored in plaintext in any AWS service.
Secrets Manager also supports automatic rotation of secrets for supported AWS database services (Amazon RDS for MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora, Amazon Redshift, Amazon DocumentDB, and Amazon EMR). You can also configure rotation for any service by providing a custom Lambda function. Rotation works by creating a new version of the secret (with a staging label like 'AWSCURRENT' or 'AWSPENDING') and updating the target resource accordingly. The rotation process is designed to avoid downtime by temporarily using both old and new credentials during the transition.
Key Tiers, Configurations, and Pricing
Secrets Manager has a simple pricing model: you pay per secret stored per month and per 10,000 API calls. As of 2025, the price is $0.40 per secret per month (for the first 100,000 secrets) and $0.05 per 10,000 API calls. There is no additional charge for using the default KMS key, but if you use a customer-managed CMK, you pay KMS key usage fees ($1 per key per month plus $0.03 per 10,000 requests).
Secrets Manager offers two tiers: Standard and Advanced. Standard secrets support automatic rotation for RDS and other services, but they do not support cross-Region replication. Advanced secrets (previously known as Secrets Manager for AWS Organizations) support cross-Region replication and are billed at a higher rate ($1.00 per secret per month). Most exam scenarios use Standard secrets.
Comparison to On-Premises or Competing Approaches
In an on-premises environment, secrets might be stored in a vault like HashiCorp Vault, CyberArk, or even in plaintext configuration files. On-premises solutions require managing the infrastructure, high availability, backup, and access control manually. Secrets Manager is fully managed, meaning AWS handles the infrastructure, encryption, rotation, and scaling. It also integrates natively with other AWS services like IAM, CloudTrail (for auditing), and KMS.
Compared to AWS Systems Manager Parameter Store, Secrets Manager is designed specifically for secrets with automatic rotation and encryption at rest by default. Parameter Store can also store secure strings (encrypted with KMS), but it lacks automatic rotation, versioning for secrets (it has versioning for parameters, but not the same staging labels), and cross-Region replication for standard parameters. Parameter Store is cheaper ($0.05 per parameter per month for standard tier, free for advanced tier but with additional costs) and is better suited for configuration data that is not necessarily secret (e.g., AMI IDs, endpoint URLs).
When to Use Secrets Manager vs Alternatives
Use Secrets Manager when you need:
Automatic rotation of credentials (especially for RDS databases)
Fine-grained access control with IAM policies
Centralized auditing via CloudTrail
Cross-Region replication (Advanced secrets)
Integration with AWS services like RDS, Redshift, DocumentDB
Use Parameter Store when you need:
A simple, low-cost store for configuration data (including secrets if budget is a concern)
Hierarchical organization of parameters (e.g., /dev/db/password)
Integration with EC2 Run Command or Systems Manager automation
No need for automatic rotation
For the CLF-C02 exam, the key distinction is that Secrets Manager is the preferred service for storing secrets that require rotation, while Parameter Store is a general-purpose configuration store that can also store secrets but without rotation.
Create a Secret
Navigate to the AWS Secrets Manager console and click 'Store a new secret.' Choose the secret type: RDS database credentials, Redshift, DocumentDB, Other (for API keys, etc.). If you choose RDS, select the database instance and provide the username. Secrets Manager will generate a random password with default length (32 characters) or you can specify your own. You can also choose the encryption key (default `aws/secretsmanager` or a customer-managed KMS key). After creation, the secret is encrypted and stored. Behind the scenes, Secrets Manager calls KMS to encrypt the secret and stores it in a DynamoDB-backed store across multiple AZs. You can also create a secret via the AWS CLI: `aws secretsmanager create-secret --name MySecret --secret-string '{"username":"admin","password":"mypassword"}'`.
Configure Access Permissions
After creating a secret, you must grant IAM permissions to users or applications that need to retrieve or manage it. The minimum permissions required are `secretsmanager:GetSecretValue` for retrieval, and `kms:Decrypt` for the KMS key used to encrypt the secret. You attach a resource-based policy to the secret (called a resource policy) or use identity-based policies on the IAM role/user. For example, an IAM policy allowing EC2 instances to read a specific secret: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"secretsmanager:GetSecretValue","Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-*"}]}`. Note the wildcard in the resource ARN because Secrets Manager appends a random 6-character suffix. You also need `kms:Decrypt` on the KMS key. The exam often tests that you need both Secrets Manager and KMS permissions.
Retrieve the Secret in Application Code
In your application code, you call the AWS SDK to retrieve the secret. For example, in Python using boto3: `import boto3; client = boto3.client('secretsmanager'); response = client.get_secret_value(SecretId='MySecret'); secret = response['SecretString']`. The SDK handles authentication via IAM roles (e.g., EC2 instance profile) or access keys. The secret is returned in plaintext, but only over TLS. It is your responsibility to not log or hardcode the secret. Best practice is to retrieve the secret at application startup and cache it in memory. Secrets Manager charges per API call, so caching reduces cost. The default maximum secret size is 64 KB. The API call is synchronous and typically completes within milliseconds. The secret version returned is the one with the staging label `AWSCURRENT`.
Enable Automatic Rotation
To enable automatic rotation, go to the secret in the console and select 'Rotation.' Choose the rotation interval (e.g., 30 days). For an RDS database secret, Secrets Manager will create a Lambda function (using a provided template) that updates the password on the database and creates a new version of the secret. The rotation process has four stages: (1) create a new version with label `AWSPENDING`, (2) set the password in the database to the new value, (3) test the new credentials, (4) mark the new version as `AWSCURRENT` and deprecate the old one. During rotation, applications using the old credentials continue to work until the old version is retired (after a configurable window). The Lambda function must have permissions to update the database and call Secrets Manager. Rotation can be disabled temporarily. The exam may ask about the rotation process and the staging labels `AWSCURRENT`, `AWSPENDING`, and `AWSPREVIOUS`.
Monitor and Audit Secret Usage
Secrets Manager integrates with AWS CloudTrail to log all API calls (CreateSecret, GetSecretValue, RotateSecret, etc.). You can view these logs in CloudTrail console or send them to CloudWatch Logs for monitoring. You can also enable CloudWatch Events (Amazon EventBridge) to trigger notifications on secret rotation or access. For example, you can create a rule that sends an SNS notification whenever a secret is retrieved. This helps detect unauthorized access. Additionally, you can use AWS Config rules to check that secrets are rotated within a specified period. The exam may test that CloudTrail logs all Secrets Manager API calls, and that you can use EventBridge to react to secret changes.
Scenario 1: E-Commerce Application Database Credentials
A mid-sized e-commerce company runs a web application on EC2 instances with an RDS MySQL database. Initially, developers hardcoded the database password in the application's configuration file, which was stored in a Git repository. After a security audit, they migrated to AWS Secrets Manager. They created a secret for the database credentials, enabled automatic rotation every 30 days, and assigned an IAM role to the EC2 instances with permissions to retrieve the secret. The application code was modified to call GetSecretValue at startup and cache the password in memory. This eliminated the risk of credential exposure in source code. Cost: $0.40 per month for the secret plus API call costs (~$0.05 per 10,000 calls). The team also set up CloudTrail logging to monitor any retrieval of the secret. A common mistake they initially made was forgetting to add kms:Decrypt permission to the IAM role, causing the application to fail with an access denied error. The exam often tests that both Secrets Manager and KMS permissions are required.
Scenario 2: API Key Rotation for Third-Party Service
A SaaS company integrates with a third-party payment gateway that requires an API key. The key is long-lived and must be rotated manually every 90 days. The company uses Secrets Manager to store the API key and a custom Lambda function to rotate it. The Lambda function calls the payment gateway's API to generate a new key, then updates the secret in Secrets Manager. The rotation schedule is set to 90 days. The application retrieves the current secret using the AWSCURRENT version. During rotation, the Lambda creates a new version with AWSPENDING, updates the gateway, tests the new key, and then promotes it to AWSCURRENT. The old key is retained as AWSPREVIOUS for rollback. This automation reduced operational overhead and eliminated the risk of expired keys causing downtime. Cost: $0.40/month for the secret plus Lambda execution costs (negligible). The exam may ask about using custom Lambda functions for rotation for non-RDS secrets.
Scenario 3: Cross-Region Disaster Recovery
A financial services company has a primary application in us-east-1 and a disaster recovery site in us-west-2. They use an Advanced secret (cross-Region replication) to replicate database credentials from us-east-1 to us-west-2. When a failover occurs, the application in us-west-2 retrieves the same secret from the local replica. This ensures that credentials are available without latency or dependency on the primary region. The replicated secret is read-only in the target region; any updates (e.g., rotation) happen in the primary region and are automatically propagated. The exam may test that cross-Region replication is only available with Advanced secrets (higher cost) and that replicated secrets are read-only in the target region.
What CLF-C02 Tests on This Objective
The CLF-C02 exam objective 2.3 focuses on explaining the benefits of AWS Secrets Manager. You should be able to:
Describe the purpose of Secrets Manager (secure storage, retrieval, and rotation of secrets)
Identify use cases (database credentials, API keys, SSH keys)
Understand the integration with KMS for encryption
Recognize the automatic rotation feature for supported services (RDS, Redshift, DocumentDB)
Compare Secrets Manager with AWS Systems Manager Parameter Store
Know that CloudTrail logs all API calls for auditing
Understand that IAM permissions are required for both Secrets Manager and KMS
Common Wrong Answers and Why Candidates Choose Them
'Secrets Manager is free' – Many candidates think it's free because other AWS security services like IAM are free. However, Secrets Manager charges $0.40 per secret per month plus API call costs.
'Parameter Store is better for secrets because it's cheaper' – While Parameter Store is cheaper, it does not support automatic rotation. The exam expects you to know that Secrets Manager is the appropriate choice when rotation is needed.
'Secrets Manager automatically encrypts secrets using the default KMS key without any configuration' – This is partially true, but the exam tests that you can also use a customer-managed CMK. Also, you must ensure the IAM role has kms:Decrypt permission.
'Secrets Manager can rotate any secret without a Lambda function' – Only supported AWS services (RDS, Redshift, etc.) have built-in rotation templates. For other secrets, you must provide a custom Lambda function.
Specific Terms That Appear on the Exam
Staging labels: AWSCURRENT, AWSPENDING, AWSPREVIOUS
Rotation interval: default 30 days, configurable
Secret size limit: 64 KB
Pricing: $0.40 per secret/month, $0.05 per 10,000 API calls
CloudTrail: logs all Secrets Manager API actions
KMS: used for encryption at rest
Tricky Distinctions
The exam often presents a scenario where an application needs to store a database password and rotate it every 90 days. The wrong answer might be Parameter Store (because it's cheaper). The correct answer is Secrets Manager because it supports automatic rotation. Another tricky question: 'Which service should you use to store a configuration parameter like an AMI ID?' – Parameter Store, not Secrets Manager, because it's not a secret.
Decision Rule for Multiple-Choice Questions
If the question mentions 'rotation' or 'automatic rotation,' the answer is almost certainly Secrets Manager. If the question mentions 'configuration data' or 'hierarchical store,' think Parameter Store. If the question mentions 'encryption at rest' or 'auditing,' both services can do that, but Secrets Manager is more secure by default. Always look for keywords like 'rotate,' 'secret,' 'credential,' 'password,' 'API key' to guide your choice.
AWS Secrets Manager is a fully managed service for storing, retrieving, and rotating secrets such as database credentials and API keys.
Secrets are encrypted at rest using AWS KMS (default or customer-managed CMK).
Automatic rotation is supported for Amazon RDS, Redshift, DocumentDB, and EMR, and can be extended via custom Lambda functions.
You need both secretsmanager:GetSecretValue and kms:Decrypt IAM permissions to retrieve a secret.
Pricing: $0.40 per secret per month + $0.05 per 10,000 API calls.
Maximum secret size is 64 KB.
CloudTrail logs all Secrets Manager API calls for auditing.
For the exam, choose Secrets Manager when rotation is required; choose Parameter Store for configuration data.
Secrets Manager uses staging labels (AWSCURRENT, AWSPENDING, AWSPREVIOUS) to manage secret versions during rotation.
Cross-Region replication is only available with Advanced secrets (higher cost).
These come up on the exam all the time. Here's how to tell them apart.
AWS Secrets Manager
Designed specifically for secrets (passwords, API keys)
Supports automatic rotation for RDS, Redshift, DocumentDB, and custom Lambda
Encryption at rest by default using KMS
Pricing: $0.40/secret/month + API call costs
Maximum secret size: 64 KB
AWS Systems Manager Parameter Store
General-purpose configuration store (can also store secrets as SecureString)
No built-in automatic rotation (requires custom automation)
Encryption optional (Standard tier plaintext; Advanced tier can encrypt with KMS)
Pricing: Standard tier free; Advanced tier $0.05/parameter/month + API costs
Maximum parameter size: 8 KB (Standard), 8 KB (Advanced)
Mistake
Secrets Manager is free because it's a security service.
Correct
Secrets Manager is not free. It costs $0.40 per secret per month plus $0.05 per 10,000 API calls. Only the default KMS key has no additional cost.
Mistake
Parameter Store can rotate secrets automatically.
Correct
Parameter Store does not have built-in automatic rotation. You would need to write custom automation using Lambda or Systems Manager. Secrets Manager provides built-in rotation for RDS and other services.
Mistake
You only need IAM permissions to access Secrets Manager, not KMS.
Correct
To retrieve a secret, you need both `secretsmanager:GetSecretValue` and `kms:Decrypt` permissions on the KMS key used to encrypt the secret. Without KMS permissions, the decryption fails.
Mistake
Secrets Manager stores secrets in plaintext in the console for convenience.
Correct
Secrets Manager only displays the secret value in the console if you explicitly click 'Retrieve secret value.' It is never shown by default, and the value is always encrypted at rest.
Mistake
You can store secrets larger than 64 KB in Secrets Manager.
Correct
The maximum secret size is 64 KB. For larger data, you should store it in S3 and store the S3 object URL in Secrets Manager.
Secrets Manager is designed specifically for secrets like passwords and API keys, with built-in automatic rotation and encryption at rest by default. Parameter Store is a general-purpose configuration store that can also store secrets as SecureString parameters, but it does not have automatic rotation. Secrets Manager costs $0.40/secret/month, while Parameter Store’s Standard tier is free. For the exam, if the scenario requires automatic rotation, choose Secrets Manager; otherwise, Parameter Store may suffice.
Yes, for supported AWS services: Amazon RDS (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server), Amazon Aurora, Amazon Redshift, Amazon DocumentDB, and Amazon EMR. For other secrets, you can create a custom AWS Lambda function to handle rotation. The rotation process creates a new version of the secret with staging labels AWSPENDING, tests it, and then promotes it to AWSCURRENT.
As of 2025, Secrets Manager charges $0.40 per secret per month (for the first 100,000 secrets) and $0.05 per 10,000 API calls. If you use a customer-managed KMS key, there are additional KMS charges ($1 per key per month + $0.03 per 10,000 requests). There is no charge for the default aws/secretsmanager key.
You need both secretsmanager:GetSecretValue on the secret resource and kms:Decrypt on the KMS key that encrypted the secret. The IAM policy must include both actions. For example: `{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":["arn:aws:secretsmanager:region:account:secret:secret-name-*"]}`.
No, the maximum secret size is 64 KB. For larger data, store the data in Amazon S3 and store the S3 object URL (or a reference) in Secrets Manager. Alternatively, you can store a pointer to another service like DynamoDB.
Secrets Manager uses a pre-built Lambda function that updates the password on the RDS instance and creates a new version of the secret. The process: (1) Create a new version with label AWSPENDING, (2) Set the new password in the RDS instance, (3) Test the new credentials, (4) Mark the new version as AWSCURRENT and deprecate the old one. During rotation, applications using the old password continue to work until the old version is retired.
Yes, all Secrets Manager API calls are logged in AWS CloudTrail. This includes actions like CreateSecret, GetSecretValue, RotateSecret, DeleteSecret, etc. You can use CloudTrail logs for auditing and monitoring secret access.
You've just covered AWS Secrets Manager — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?