Build CoreOrdered learning track

Secrets Manager and Parameter Store

Learn AWS Security, Monitoring and Management - Part 038

Secrets Manager and Systems Manager Parameter Store from a production security and operations perspective: secret lifecycle, config boundary, rotation, retrieval, KMS integration, audit, caching, incident response, and governance.

10 min read1975 words
PrevNext
Lesson 3872 lesson track14–39 Build Core
#aws#security#secrets-manager#parameter-store+3 more

Part 038 — Secrets Manager and Parameter Store

Secret management bukan sekadar “taruh password di tempat aman”.

Dalam production, secret adalah runtime authority. Siapa pun yang memegang secret sering kali bisa bertindak sebagai aplikasi, database user, third-party integration, atau service account.

Karena itu, desain secret management harus menjawab:

Apa yang dianggap secret?
Siapa boleh menulis secret?
Siapa boleh membaca secret?
Apakah secret bisa dirotasi?
Bagaimana aplikasi mengambil secret?
Apa yang terjadi ketika secret bocor?
Apakah akses secret bisa diaudit?
Apakah secret muncul di log, env var, build artifact, container image, atau Terraform state?

AWS memberi dua building block yang sering dibandingkan:

  • AWS Secrets Manager
  • AWS Systems Manager Parameter Store

Keduanya bisa menyimpan nilai sensitif. Tetapi operating model-nya berbeda.


1. Mental Model: Secret vs Configuration

Pisahkan konsepnya.

Jenis nilaiContohRisiko utamaTempat umum
Configuration biasaendpoint URL, timeout, feature toggle non-sensitifsalah konfigurasiParameter Store, AppConfig, config repo
Sensitive configurationinternal endpoint, tenant mapping, non-public identifierleakage metadata, misroutingParameter Store SecureString atau Secrets Manager
SecretDB password, API token, private key, OAuth client secretimpersonation, data breach, lateral movementSecrets Manager
Derived runtime credentialSTS credential, DB auth token, short-lived tokenreplay sementaratidak disimpan lama; diterbitkan saat runtime

Rule praktis:

Jika nilai memberi authority untuk bertindak sebagai sistem lain, perlakukan sebagai secret.
Jika nilai harus dirotasi, diaudit aksesnya, dan punya lifecycle sensitif, default ke Secrets Manager.
Jika nilai adalah konfigurasi hierarkis yang jarang sensitif dan tidak butuh rotation workflow, Parameter Store lebih natural.

Secret bukan hanya password. Secret adalah nilai yang jika bocor memberi kemampuan.


2. Secrets Manager vs Parameter Store

AspekSecrets ManagerParameter Store
Fokus utamaSecret lifecycle managementHierarchical configuration store dan lightweight secret storage
RotationBuilt-in rotation workflow, termasuk Lambda rotationTidak punya workflow rotation setara Secrets Manager; bisa dibuat manual/automation
VersioningSecret versions dengan staging label seperti AWSCURRENT, AWSPREVIOUS, AWSPENDINGParameter version dan label
Tipe dataSecret string/binaryString, StringList, SecureString
KMS integrationSecret encrypted dengan KMSSecureString encrypted dengan KMS
HierarchyBisa pakai naming conventionHierarchical path native seperti /prod/payment/db/host
Parameter policiesTidak sama modelnyaAdvanced parameters dapat memakai policies seperti expiration/no-change notification
Cost/throughputUmumnya lebih mahal, cocok untuk high-value secretsCocok untuk banyak config sederhana; tier/throughput perlu diperhatikan
Ideal useDB credential, API key, private credential, rotating secretApp config, endpoint, non-sensitive value, low-complexity SecureString

Keputusan bukan soal mana yang “lebih aman”. Keputusan harus mengikuti lifecycle.


3. Secret Management Invariants

Production system harus punya invariant berikut:

Secret tidak disimpan di source code.
Secret tidak disimpan di container image.
Secret tidak muncul di build log.
Secret tidak muncul di application log.
Secret tidak disimpan plaintext di Terraform state.
Secret tidak dibaca manusia secara rutin.
Secret runtime dibaca oleh workload identity, bukan shared human credential.
Secret punya owner, classification, rotation policy, dan incident runbook.
Secret access tercatat di CloudTrail.
Secret bisa dicabut/dirotasi tanpa redeploy besar jika memungkinkan.

Kalau invariant ini belum benar, Secrets Manager atau Parameter Store hanya menjadi “tempat baru untuk menaruh password lama”.


4. AWS Secrets Manager Building Blocks

KonsepArti
SecretContainer logical untuk nilai secret dan metadata.
Secret valueString atau binary value.
VersionVersi immutable dari nilai secret.
Staging labelLabel yang menunjuk versi tertentu, misalnya AWSCURRENT, AWSPREVIOUS, AWSPENDING.
RotationProses mengganti credential lama dengan credential baru.
Rotation LambdaFunction yang menjalankan step rotation untuk target tertentu.
Resource policyPolicy pada secret untuk mengatur akses resource-side/cross-account.
KMS keyKey yang mengenkripsi secret value.
ReplicationSecret dapat direplikasi ke region lain untuk multi-region design.

Version staging penting. Aplikasi biasanya membaca AWSCURRENT. Saat rotation berjalan, Secrets Manager dapat memakai AWSPENDING, lalu mempromosikannya menjadi AWSCURRENT setelah valid.


5. Rotation Model

Rotation bukan hanya mengganti nilai di store. Rotation harus sinkron dengan target sistem.

Untuk database password, sistem harus:

1. Membuat credential baru.
2. Menyimpan versi pending.
3. Mengubah credential di database.
4. Menguji credential baru.
5. Mempromosikan versi baru menjadi current.
6. Menjaga rollback path sementara.
7. Memastikan aplikasi memakai current value.

Generic sequence:

Rotation failure modes:

FailureDampak
Rotation Lambda tidak bisa reach target DBSecret pending dibuat tapi target tidak berubah.
Password berubah di DB tapi staging label tidak promoteAplikasi tetap membaca old credential.
App cache terlalu lamaAplikasi tetap memakai credential lama setelah rotation.
Test step lemahSecret promoted walau tidak benar-benar valid.
Rollback tidak diujiIncident credential outage lebih lama.
Multi-user rotation salahCredential lama dimatikan sebelum semua app berpindah.

Secret rotation harus diuji seperti database migration: ada backward compatibility, rollback, dan observability.


6. Parameter Store Building Blocks

Parameter Store adalah bagian dari AWS Systems Manager. Ia menyediakan storage hierarkis untuk configuration data dan lightweight secrets.

Tipe parameter:

TypeGunakan untuk
StringNilai konfigurasi biasa.
StringListList sederhana, bukan struktur kompleks besar.
SecureStringNilai sensitif yang dienkripsi KMS.

Contoh hierarchy:

/prod/payment/api/base-url
/prod/payment/api/timeout-ms
/prod/payment/db/host
/prod/payment/db/port
/prod/payment/feature/enable-risk-check
/prod/payment/integration/vendor-x/api-token

Hierarchy bukan security boundary penuh jika IAM policy terlalu luas.

IAM path-based access:

{
  "Sid": "AllowReadPaymentProdParameters",
  "Effect": "Allow",
  "Action": [
    "ssm:GetParameter",
    "ssm:GetParameters",
    "ssm:GetParametersByPath"
  ],
  "Resource": "arn:aws:ssm:ap-southeast-1:111122223333:parameter/prod/payment/*"
}

Risiko:

GetParametersByPath terhadap parent path bisa membaca banyak parameter.
Path salah desain bisa memberi akses terlalu luas.
SecureString tetap membutuhkan KMS permission.
Parameter name bisa membocorkan informasi sensitif meskipun value terenkripsi.

7. SecureString dan KMS

Parameter Store SecureString memakai KMS untuk enkripsi. Dari sisi operating model, pertanyaannya:

Role mana boleh membaca parameter?
Role mana boleh decrypt dengan KMS key?
Apakah decrypt dibatasi melalui SSM?
Apakah parameter path terlalu luas?
Apakah akses tercatat dan bisa dicari?

IAM policy untuk SecureString harus mencakup SSM read dan KMS decrypt.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadSpecificSecureParameter",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter"
      ],
      "Resource": "arn:aws:ssm:ap-southeast-1:111122223333:parameter/prod/payment/vendor-x/api-token"
    },
    {
      "Sid": "DecryptParameterViaSSMOnly",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:ap-southeast-1:111122223333:key/KEY_ID",
      "Condition": {
        "StringEquals": {
          "kms:ViaService": "ssm.ap-southeast-1.amazonaws.com"
        }
      }
    }
  ]
}

Jangan memberi ssm:GetParametersByPath ke /prod untuk role aplikasi. Itu sama seperti memberi aplikasi akses membaca hampir semua konfigurasi production.


8. Naming Strategy

Nama secret/parameter harus membantu operability tanpa membocorkan informasi berlebihan.

Format baik:

/<env>/<domain>/<service>/<purpose>
/prod/payment/payment-api/database-main
/prod/payment/payment-api/vendor-x-api-token
/prod/identity/session-service/jwt-signing-key

Tag wajib:

environment: prod
domain: payment
service: payment-api
data-classification: confidential
owner: payment-platform
rotation-required: "true"
rotation-period-days: "30"
break-glass-required: "true"

Jangan masukkan nilai rahasia ke nama.

Buruk:

/prod/payment/db-password-for-customer-john@example.com
/prod/vendor/token-live-sk-abc123

Nama resource sering muncul di CloudTrail, console, metric, alert, ticket, dan screenshot.


9. Access Model: Human vs Workload vs Pipeline

Pisahkan akses berdasarkan actor.

ActorBoleh membaca secret?Boleh menulis secret?Catatan
Runtime workload roleYa, hanya secret spesifikTidakMembaca saat runtime.
CI/CD deployment roleBiasanya tidakKadang update metadata/referenceJangan jadikan pipeline sebagai secret reader kecuali perlu.
Secret provisioning roleTidak harus membacaYaBisa create/update secret dari secure channel.
Developer humanTidak by defaultTidak by defaultGunakan temporary approval jika perlu.
Security break-glassYa, terbatas dan auditedYa, untuk incidentHarus high-friction dan alert.
Rotation Lambda roleYa, secret tertentuYa, secret tertentu dan target credentialRole paling sensitif untuk secret itu.

Runtime IAM policy:

{
  "Sid": "RuntimeReadOnlySpecificSecret",
  "Effect": "Allow",
  "Action": [
    "secretsmanager:GetSecretValue",
    "secretsmanager:DescribeSecret"
  ],
  "Resource": "arn:aws:secretsmanager:ap-southeast-1:111122223333:secret:/prod/payment/payment-api/db-main-*"
}

Write operations harus lebih terbatas:

secretsmanager:PutSecretValue
secretsmanager:UpdateSecret
secretsmanager:DeleteSecret
secretsmanager:RestoreSecret
secretsmanager:RotateSecret
secretsmanager:UpdateSecretVersionStage
ssm:PutParameter
ssm:DeleteParameter
ssm:LabelParameterVersion

UpdateSecretVersionStage sangat sensitif karena bisa mengubah versi mana yang dianggap current.


10. Retrieval Pattern di Aplikasi

Beberapa cara aplikasi mendapat secret:

PatternKelebihanRisiko
Fetch at startupSederhanaRotation butuh restart atau cache refresh.
Fetch on demand with cacheLebih adaptifButuh TTL, retry, fallback design.
Sidecar/agentCentralized retrievalTambah moving part.
Inject env var saat deployMudahSecret hidup lama di env/process; rotation buruk; bisa bocor ke diagnostic.
Bake into imageTidak bolehSecret bocor permanen di artifact.

Production recommendation:

Runtime role mengambil secret dari Secrets Manager/Parameter Store menggunakan SDK.
Gunakan client-side caching dengan TTL pendek yang sesuai rotation policy.
Jangan log secret value.
Jangan expose secret dalam health endpoint, metrics label, trace attribute, atau exception message.

Pseudocode Java-ish:

class SecretProvider {
    private final SecretsManagerClient client;
    private final LoadingCache<String, String> cache;

    SecretProvider(SecretsManagerClient client) {
        this.client = client;
        this.cache = Caffeine.newBuilder()
            .expireAfterWrite(Duration.ofMinutes(5))
            .maximumSize(100)
            .build(this::loadSecret);
    }

    String get(String secretId) {
        return cache.get(secretId);
    }

    private String loadSecret(String secretId) {
        GetSecretValueResponse response = client.getSecretValue(
            GetSecretValueRequest.builder()
                .secretId(secretId)
                .versionStage("AWSCURRENT")
                .build()
        );
        return response.secretString();
    }
}

Engineering questions:

Apa TTL cache?
Apa yang terjadi jika Secrets Manager timeout?
Apakah aplikasi fail closed atau memakai cached previous value?
Berapa lama old credential masih valid setelah rotation?
Apakah database connection pool bisa refresh credential?
Apakah secret refresh menyebabkan thundering herd?

11. Rotation-Aware Application Design

Secret rotation gagal kalau aplikasi didesain seolah credential tidak pernah berubah.

Untuk DB credential:

Connection pool harus bisa reconnect.
Stale connections harus expire.
App harus handle authentication failure dengan refresh secret.
Old credential mungkin perlu overlap window.
Rotation schedule jangan bentrok dengan peak traffic tanpa confidence.

State machine runtime:

Jangan jadikan rotation sebagai cron job yang “semoga aman”. Treat rotation as production change.


12. Secret Creation and Provisioning Flow

Secret creation harus punya clear source of truth.

Secret inventory minimal:

FieldContoh
secret name/prod/payment/payment-api/db-main
ownerpayment-platform
system of recordproduction aurora cluster payment-main
classificationconfidential
rotationenabled / 30 days
runtime rolepayment-api-prod-runtime
KMS keyalias/prod/payment/secrets
break-glass policySEC-ACCESS-004
last access review2026-07-01

13. Resource Policies and Cross-Account Secrets

Secrets Manager supports resource-based policies. Use them carefully.

Use case:

Secret owned in shared security account.
Workload role in workload account reads it.
KMS key policy also allows decrypt path.

Secret resource policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSpecificWorkloadRoleReadSecret",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::444455556666:role/prod-payment-api-runtime"
      },
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "*"
    }
  ]
}

Checklist cross-account:

[ ] Secret resource policy allows exact external role.
[ ] Caller IAM policy allows GetSecretValue on secret ARN.
[ ] KMS key policy allows decrypt for caller/service path.
[ ] Caller IAM policy allows kms:Decrypt if needed.
[ ] SCP in caller account does not block access.
[ ] Secret ARN suffix wildcard handled correctly.
[ ] CloudTrail in both accounts is available for investigation.

Avoid broad principals unless condition strategy has been formally reviewed.


14. Terraform, IaC, and Secret State Leakage

Mistake umum: menulis secret value melalui Terraform dan menyimpannya di state.

Bad pattern:

resource "aws_secretsmanager_secret_version" "db" {
  secret_id     = aws_secretsmanager_secret.db.id
  secret_string = var.database_password
}

Secret value bisa berakhir di Terraform state, plan output, logs, atau drift tooling.

Safer patterns:

PatternDescription
IaC creates secret metadata onlyTerraform creates secret container, KMS key, policy, tags, rotation config. Value inserted through controlled secure process.
External secret bootstrapInitial value injected from secure CI secret store with strict masking and no plan output.
Target-generated credentialRDS/rotation flow generates and rotates credential.
Dynamic credentialPrefer IAM auth/STS/token-based auth when supported.

IaC harus own structure and policy. IaC tidak boleh casual menjadi plaintext secret pipeline.


15. Monitoring and Audit

Secrets Manager API calls direkam di CloudTrail. Parameter Store operations juga auditable sebagai AWS API events.

High-signal events:

secretsmanager:GetSecretValue
secretsmanager:PutSecretValue
secretsmanager:UpdateSecret
secretsmanager:DeleteSecret
secretsmanager:RestoreSecret
secretsmanager:RotateSecret
secretsmanager:CancelRotateSecret
secretsmanager:UpdateSecretVersionStage
ssm:GetParameter
ssm:GetParameters
ssm:GetParametersByPath
ssm:PutParameter
ssm:DeleteParameter
kms:Decrypt
kms:GenerateDataKey
kms:CreateGrant

Detection ideas:

SignalMeaning
Human principal calls GetSecretValue in prodPossible break-glass, debugging smell, or exfiltration.
New principal reads high-value secretAccess expansion.
Secret value updated outside deployment windowUnauthorized change risk.
UpdateSecretVersionStage unexpectedCurrent version hijack risk.
DeleteSecret scheduledAvailability and recovery risk.
GetParametersByPath over broad prod pathPotential mass config/secret enumeration.
KMS decrypt spikePossible secret scraping or retry storm.

EventBridge example:

{
  "source": ["aws.secretsmanager"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["secretsmanager.amazonaws.com"],
    "eventName": [
      "DeleteSecret",
      "PutSecretValue",
      "UpdateSecret",
      "UpdateSecretVersionStage",
      "GetSecretValue"
    ]
  }
}

Untuk GetSecretValue, jangan page semua event. Banyak aplikasi membaca secret secara normal. Alert harus context-aware:

principal type = human OR unknown role
AND environment = prod
AND secret classification = confidential/secret
AND outside approved break-glass window

16. Config and Compliance Controls

Useful controls:

Secrets must use customer managed KMS key for confidential/regulated data.
Secrets must have rotation enabled if rotation-required=true.
Secrets must rotate within max age.
Secrets must not be scheduled for deletion without approved exception.
Secrets must have owner/environment/classification tags.
Secrets resource policy must not allow broad public/cross-account access.
Parameter Store SecureString must use approved KMS key for prod sensitive values.
No application role may read parent path /prod/* unless explicitly approved.

AWS Config managed rules can help check rotation age and scheduled rotation success for Secrets Manager. For organization-specific invariants, use custom Config rules or Security Hub custom findings.


17. Incident Response: Secret Leak

Secret leak is not solved by deleting the line from Git.

Runbook:

Key distinction:

ActionMeaning
Update secret store valueAplikasi akan membaca nilai baru.
Rotate target credentialCredential lama tidak lagi valid di target system.
Revoke tokenOld token/session benar-benar dimatikan.
Delete leaked fileMengurangi exposure, tetapi tidak mencabut authority.

Jika secret bocor, prioritasnya adalah mencabut authority, bukan membersihkan tampilan.


18. Decision Cookbook

Database password untuk production service

Use Secrets Manager.

KMS customer managed key.
Rotation enabled.
Runtime role can GetSecretValue only for specific secret.
Decrypt via Secrets Manager only.
Human read denied except break-glass.
App uses cache and handles rotation.
CloudTrail detection for human read and value update.

Feature flag non-sensitive

Use Parameter Store String or AppConfig.

No KMS needed.
Read path scoped to service/environment.
Do not put business-sensitive targeting data casually.

Third-party API token with manual rotation

Usually Secrets Manager.

Manual rotation runbook.
Owner and expiry metadata.
Alert if not rotated within policy.
Runtime read only.
No pipeline log exposure.

Internal service endpoint URL

Parameter Store String.

Hierarchical name.
Read-only runtime role.
Change audit.
No secret handling overhead unless endpoint itself is sensitive.

JWT signing private key

Secrets Manager or dedicated key management design.

Treat as high-value cryptographic material.
Strict human access.
Rotation and key-rollover plan.
Consumers support key ID / JWKS rollover if applicable.
Audit all reads.

App wants AWS credentials stored as secret

Challenge the premise.

Prefer IAM role, STS, workload identity, IRSA, Pod Identity, ECS task role, Lambda execution role, or instance profile.
Long-lived AWS access keys in Secrets Manager are still long-lived AWS access keys.

19. Anti-Patterns

Secret in environment variable forever

Environment variables are easy but sticky. They can appear in process dumps, diagnostics, task definitions, deployment manifests, and debugging output. They also make rotation harder.

One mega-secret JSON

{
  "dbPassword": "...",
  "vendorToken": "...",
  "jwtPrivateKey": "...",
  "adminPassword": "..."
}

Dampak:

Aplikasi yang butuh satu credential mendapat semua credential.
Rotation per credential sulit.
Audit tidak granular.
Blast radius membesar.

/prod/* read access

Path-based convenience sering berubah menjadi mass-read permission.

Developer bisa GetSecretValue di production by default

Ini membuat secret store menjadi shared password manager, bukan runtime secret boundary.

Rotation tanpa application readiness

Secret rotated, aplikasi down karena connection pool tidak refresh.

Secret value di Terraform state

State backend menjadi secret database tidak resmi.

Menganggap SecureString otomatis cukup

SecureString terenkripsi, tetapi jika IAM path terlalu luas dan KMS decrypt terbuka, semua tetap bisa dibaca.


20. Production Checklist

Untuk setiap secret production:

[ ] Apakah ini benar-benar secret atau config?
[ ] Apakah secret punya owner?
[ ] Apakah secret punya environment/domain/service tag?
[ ] Apakah classification jelas?
[ ] Apakah runtime role terbatas ke secret spesifik?
[ ] Apakah human access default denied?
[ ] Apakah break-glass path ada dan audited?
[ ] Apakah KMS key customer managed jika high-value?
[ ] Apakah KMS decrypt dibatasi via service jika memungkinkan?
[ ] Apakah rotation enabled jika credential bisa dirotasi?
[ ] Apakah aplikasi rotation-aware?
[ ] Apakah cache TTL selaras dengan rotation policy?
[ ] Apakah secret tidak masuk Terraform state?
[ ] Apakah secret tidak muncul di logs/traces/metrics?
[ ] Apakah CloudTrail event dipantau?
[ ] Apakah DeleteSecret/UpdateSecretVersionStage alert aktif?
[ ] Apakah ada incident runbook untuk leak?
[ ] Apakah last access review tercatat?

21. Final Mental Model

Secrets Manager dan Parameter Store bukan pengganti desain akses.

Keduanya hanya aman jika dipakai dalam sistem yang benar:

Workload identity yang tepat.
IAM scope yang sempit.
KMS boundary yang jelas.
Rotation lifecycle yang diuji.
Runtime retrieval yang sadar failure.
Audit trail yang searchable.
Incident response yang bisa mencabut authority.

Secret management matang bukan ketika password tersembunyi.

Secret management matang ketika authority bisa diberikan, dipakai, dipantau, dirotasi, dan dicabut dengan aman.


Official References

Lesson Recap

You just completed lesson 38 in build core. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.