Intro

• For storing secrets only
• Mandatory encryption using KMS
• Each secret can have multiple key-value pairs
• Ability to force rotation of secrets every n days (not available in Parameter Store)
• Well integrated with SQL databases like MySQL, PostgreSQL, RDS and Aurora to store DB username and password
• Automated secret rotation using Lambda (needs IAM permission)
• Mostly used for RDS authentication
  • need to specify the username and password to access the database
  • link the secret to the database to allow for automatic rotation of database login info
• Can create custom secrets
• Secrets are retained after deletion for 7 - 30 (default) days (waiting period)

Integration with RDS & Aurora using CloudFormation

Method 1

• Setting ManageMasterUserPassword: True for RDS & Aurora creates admin secret automatically
• The secret ARN can be retrieved using the !GetAtt func

Method 2

• Create a secret in the CloudFormation template and reference it in the RDS or Aurora DB