Transcription of AWS Secrets Manager
1 AWS Secrets ManagerUser GuideAWS Secrets Manager User GuideAWS Secrets Manager : User GuideCopyright 2019 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Secrets Manager User GuideTable of ContentsWhat Is AWS Secrets Manager ? .. 1 Getting Started with Secrets Manager .
2 1 Basic Secrets Manager Scenario .. 1 Features of Secrets Manager .. 2 Programmatically Retrieve Encrypted Secret Values at Runtime Instead of Storing Them .. 2 Store Just About Any Kind of Secret .. 3 Encrypt Your Secret Data .. 3 Automatically Rotate Your Secrets .. 3 Control Who Can Access Secrets .. 4 Compliance with Standards .. 4 Accessing Secrets Manager .. 5 Pricing for Secrets Manager .. 6 AWS KMS Custom Encryption Keys .. 6 AWS CloudTrail Logging Storage and Notification .. 6 Support and Feedback for AWS Secrets Manager .. 6 Getting Started .. 8 Terms and Concepts .. 8 Secret .. 8 Secured Service .. 10 Rotation .. 10 Version .. 11 Staging 11 Tutorials.
3 12 Tutorial: Storing and Retrieving a Secret .. 12 Tutorial: Rotating a Secret for an AWS Database .. 14 Tutorial: Rotating a User Secret with a Master Secret .. 21 Best Practices .. 28 Protect Additional Sensitive Information .. 28 Improve Performance by Using the AWS provided Client-side Caching Components .. 28 Mitigate the Risks of Logging and Debugging Your Lambda Function .. 29 Mitigate the Risks of Using the AWS CLI to Store Your Secrets .. 29 Cross-Account Access Should I Specify a User/Role or the Account? .. 30 Run Everything in a VPC .. 31 Tag Your Secrets .. 32 Creating and Managing Secrets .. 33 Creating a Basic Secret .. 33 Modifying a Secret.
4 36 Retrieving the Secret Value .. 47 Deleting and Restoring a Secret .. 49 Managing a Resource-based Policy for a Secret .. 53 Attaching a Resource-based Policy to a Secret .. 54 Retrieving a Resource-based Policy from a Secret .. 54 Deleting a Resource-based Policy from a Secret .. 55 Rotating Secrets .. 56 Permissions Required to Automatically Rotate Secrets .. 56 Permissions of Users Who Configure Rotation vs. Users Who Trigger Rotation .. 56 Permissions Associated with the Lambda Rotation Function .. 57 Configuring Your Network to Support Rotating Secrets .. 59 Connecting to Secrets Manager Through a VPC Endpoint .. 60 Create a Secrets Manager VPC Private Endpoint.
5 61 Connecting to a Secrets Manager VPC Private Endpoint .. 63 Using a VPC Private Endpoint in a Policy Statement .. 63 Audit the Use of Your Secrets Manager VPC Endpoint .. 65 Rotating Amazon RDS Secrets .. 66iiiAWS Secrets Manager User GuideEnabling Rotation for an Amazon RDS Database Secret .. 67 Customizing the Lambda Rotation Function Provided by Secrets Manager .. 73 Rotating Other Secrets .. 74 Rotating Other Secrets .. 75 Enabling Rotation for a Secret for Another Database or Service .. 77 Understanding and Customizing Your Lambda Rotation Function .. 79 Overview of the Lambda Rotation Function .. 80 Rotating Secrets - One User, One Password.
6 83 Rotating Secrets - Switch Between Existing Users .. 86 Rotating Secrets - Passwords Only .. 90 Deleting Rotation Functions .. 93 Authentication and Access Control for AWS Secrets Manager .. 97 Overview .. 98 Access Control (Authorization) .. 99 Using Identity-based Policies (IAM Policies) for Secrets Manager .. 105 AWS Managed Policy for Secrets Manager .. 106 Granting Full Secrets Manager Administrator Permissions to a User .. 106 For the Consuming Application: Granting Read Access to One Secret .. 107 Limiting Access to Specific Actions .. 107 Limiting Access to Specific Secrets .. 108 Limiting Access to Secrets That Have Specific Staging Labels or Tags.
7 109 Granting a Rotation Function Permission to Access a Separate Master Secret .. 109 Using Resource-based Policies for Secrets Manager .. 111 Controlling Which Principals Can Access a Secret .. 111 Grant Read-Only Access to a Role .. 112 Determining Access to a Secret .. 113 Understanding Policy Evaluation .. 113 Examining the Secret Policy .. 113 Examining IAM Policies .. 115 Monitoring Your Secrets .. 117 Logging AWS Secrets Manager API Calls with AWS CloudTrail .. 117 Secrets Manager Information in CloudTrail .. 117 Retrieving Secrets Manager Log File Entries .. 118 Understanding Secrets Manager Log File Entries .. 119 Amazon CloudWatch Events.
8 120 Monitoring Secret Versions Scheduled for Deletion .. 120 Working with Other Services .. 123 Automating Creation of Your Secrets with AWS CloudFormation .. 123 Securing Your Secrets with AWS Identity and Access Management (IAM) .. 123 Monitoring Your Secrets with AWS CloudTrail and Amazon CloudWatch .. 124 Encrypting Your Secrets with AWS KMS .. 124 Retrieving Your Secrets with the Parameter Store APIs .. 124 Automating Secret Creation in AWS CloudFormation .. 125 AWS Secrets Manager Reference .. 132 Limits of AWS Secrets Manager .. 132 Limits on 132 Maximum and Minimum Values .. 132 Maximum Rate 133 Rotation Function Templates .. 133 Templates for Databases Running on Amazon RDS.
9 134 Templates for Other Services .. 139 Managed Policies .. 139 Actions, Resources, and Context Keys .. 140 Actions .. 140ivAWS Secrets Manager User GuideResources .. 143 Context keys .. 143 Troubleshooting AWS Secrets Manager .. 147 Troubleshooting General Issues .. 147I get an "access denied" message when I make a request to AWS Secrets Manager .. 147I get an "access denied" message when I make a request with temporary security credentials.. 147 Changes that I make aren't always immediately visible.. 148 Troubleshooting Rotation .. 148I want to find the diagnostic logs for my Lambda rotation function .. 149I can't predict when rotation will start.
10 149I get "access denied" when trying to configure rotation for my secret .. 149My first rotation fails after I enable rotation .. 149 Rotation fails because the secret value is not formatted as expected by the rotation function.. 150 Secrets Manager says I successfully configured rotation, but the password isn't rotating .. 150 Rotation fails with an "Internal failure" error message .. 151 CloudTrail shows access-denied errors during rotation .. 151 Making HTTP Query Requests .. 153 HTTPS Required .. 153 Signing API Requests for Secrets Manager .. 153 Document History .. 155 AWS Glossary .. 157vAWS Secrets Manager User GuideGetting Started with Secrets ManagerWhat Is AWS Secrets Manager ?
