AWS Secrets Manager

Secrets Manager is great for storing sensitive information, including encryption keys and certificates, but it doesn’t have the flexibility to perform real-time encryption or decrypt operations.

The main purpose of Secrets Manager is to securely store and manage secrets, like passwords or API keys.

Real-time encryption and decryption of data in near real-time requires more customized handling, which AWS KMS directly provides with its encryption-as-a-service capabilities.

1. AWS Systems Manager OpsCenter

OpsCenter is not designed for securely storing or rotating secrets. It is intended for incident management and operational issues.

2. Question: AWS KMS customer managed key

A company's containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted. Which solution will meet these requirements with the LEAST operational overhead?

  1. Create AWS Secrets Manager secrets for encrypted certificates. Manually update the certificates as needed. Control access to the data by using fine-grained IAM access.
  2. Create an AWS Lambda function that uses the Python cryptography library to receive and perform encryption operations. Store the function in an Amazon S3 bucket.
  3. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3. (Correct Ans)
  4. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes.

3. Question: AWS Secrets Manager

A company has several web servers that need to frequently access a common Amazon RDS MySQL Multi-AZ DB instance. The company wants a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently. Which solution meets these requirements?

  1. Store the database user credentials in AWS Secrets Manager. Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager. (Correct Ans)
  2. Store the database user credentials in AWS Systems Manager OpsCenter. Grant the necessary IAM permissions to allow the web servers to access OpsCenter.
  3. Store the database user credentials in a secure Amazon S3 bucket. Grant the necessary IAM permissions to allow the web servers to retrieve credentials and access the database.
  4. Store the database user credentials in files encrypted with AWS Key Management Service (AWS KMS) on the web server file system. The web server should be able to decrypt the files and access the database.

Explanation: Secrets Manager is designed for securely storing and managing sensitive information such as database credentials, API keys, and other secrets. It natively supports automatic rotation of credentials for Amazon RDS databases, meeting the security requirement for frequent credential rotation.