EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitysecrets-managementHashiCorp-VaultAWS-Secrets-Manager

Secrets Management: HashiCorp Vault, AWS Secrets Manager & SSM Parameter Store

Database passwords, API keys, TLS certificates, and service tokens are secrets that grant access to sensitive systems. This article covers the architecture, rotation lifecycle, and best practices for managing secrets in cloud environments.

Ashish Revar3 July 202622 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS Secrets Manager Documentation

Complete AWS Secrets Manager documentation including rotation, access control, and cross-account sharing.

HashiCorp Vault Documentation

Official HashiCorp Vault documentation for secrets engines, auth methods, and policies.

External Secrets Operator for Kubernetes

External Secrets Operator documentation for syncing cloud secrets into Kubernetes.

GitGuardian State of Secrets Sprawl 2024

Annual report on secrets exposure in public repositories — statistics and trends.

More articlesTest your knowledge

Why Secrets Management Is a Separate Discipline

A secret is any credential that grants access: a database password, an API key, a TLS private key, an OAuth client secret, or an SSH private key. Secrets are fundamentally different from other configuration data:

  • They must be kept confidential — their value must be known only to the systems that need them
  • They change over time — secrets must be rotated to limit the window of exposure from a leak
  • Their access must be audited — knowing which system read a secret at what time is essential for incident response
  • They must be distributed without embedding — a secret embedded in code, a container image, or a configuration file is a secret waiting to be leaked

The 2023 GitHub Secret Scanning report found 1.3 million secrets exposed in public repositories during the year. Most were AWS access keys, database credentials, and Google API tokens.

The Three Secrets Anti-Patterns

Before discussing proper secrets management, identify what to avoid:

Anti-PatternRiskExample
Hardcoded secretsLeaked in git history; visible to anyone with repo accessconst DB_PASS = "MyProd2024Pass" in source code
Environment variablesVisible in process list, CloudWatch Logs, crash dumpsDATABASE_URL=postgres://user:pass@host/db in .env
SSM Parameter Store plain textNo encryption at rest; no audit of accessStoring credentials as /app/prod/db_pass (not SecureString)

AWS Secrets Manager

AWS Secrets Manager is the recommended managed secrets store for production AWS workloads. It provides:

FeatureDetails
EncryptionAll secrets encrypted using KMS (customer-managed or AWS-managed key)
RotationBuilt-in rotation for RDS, Redshift, DocumentDB, and custom Lambda-based rotation
Access controlIAM resource-based policy on the secret; condition keys for VPC, MFA
Audit trailCloudTrail records every GetSecretValue, RotateSecret, DeleteSecret call
Cross-accountSecrets can be shared with other AWS accounts via resource policy
CostUSD 0.40/secret/month + USD 0.05 per 10,000 API calls

Automatic Rotation Workflow (RDS Example)

AWS Secrets Manager rotation for RDS works as follows:

Day 0: Secret created with current DB password
       ↓
Day 30: Rotation Lambda triggered automatically
       ↓
Lambda Step 1 (createSecret): Generate new random password in pending stage
       ↓
Lambda Step 2 (setSecret): Change RDS user password to new value
       ↓
Lambda Step 3 (testSecret): Attempt DB connection using new password
       ↓
Lambda Step 4 (finishSecret): Promote new password to current stage; demote old to previous
       ↓
Day 30+: Applications calling GetSecretValue automatically get new password

Applications using the AWS SDK for Secrets Manager automatically get the latest version — no restart required. The Secrets Manager SDK caches secrets locally (for 5 minutes by default) to reduce API call cost.

AWS SSM Parameter Store

SSM Parameter Store is the lower-cost alternative for non-rotating secrets and configuration values:

TierTypeUse Case
StandardStringPublic configuration (region names, feature flags)
StandardSecureStringLow-sensitivity secrets (KMS-encrypted with aws/ssm key)
AdvancedSecureStringHigh-sensitivity secrets with larger size limit and parameter policies

Parameter Store is integrated with many AWS services: ECS Task Definitions can pull parameters at launch; Lambda can load them at cold-start; EC2 instances can use AWS Systems Manager Agent to pull them at boot.

Cost: Standard Parameters are free for up to 10,000 parameters. SecureString Standard is free; SecureString Advanced is USD 0.05/parameter/month.

Secrets Manager vs Parameter Store — when to use which:

CriterionSecrets ManagerSSM Parameter Store (SecureString)
Automatic rotationYes (built-in Lambda rotation)No (manual or custom automation)
Cross-account sharingYes (resource policy)No
Secret sizeUp to 64KBUp to 8KB
CostUSD 0.40/secret/monthFree (Standard)
Audit trailCloudTrailCloudTrail
Best forDatabase credentials, API keys that rotateConfig values, non-rotating tokens

HashiCorp Vault: The Multi-Cloud Solution

HashiCorp Vault is an open-source secrets management platform that runs independently of any cloud provider, making it the standard choice for multi-cloud environments (AWS + Azure + GCP workloads managed centrally).

Key Vault features:

  • Dynamic secrets: Vault generates short-lived database credentials on-demand. There is no long-lived password to leak — Vault creates a unique username/password for each request and revokes it after the TTL expires.
  • Secret engines: Dedicated engines for AWS IAM, databases, PKI (certificate authority), SSH, and TOTP
  • Auth methods: IAM, Kubernetes service account, AppRole, LDAP, TLS certificates
  • Audit devices: Every API call logged to file, syslog, or socket

Dynamic AWS IAM Credentials with Vault

# Vault AWS Secrets Engine: generate a short-lived IAM access key
vault read aws/creds/my-role
# Output:
# access_key     AKIAIOSFODNN7EXAMPLE
# secret_key     wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# lease_duration 768h          ← configurable TTL
# lease_id       aws/creds/my-role/abc123
# renewable      true

The generated IAM credentials are automatically revoked by Vault when the lease expires. If the lease ID is revoked early (vault lease revoke aws/creds/my-role/abc123), the IAM access key is immediately deleted from AWS.

Secrets in Kubernetes: External Secrets Operator

For containerised workloads on Kubernetes, the External Secrets Operator (ESO) synchronises secrets from Secrets Manager, Vault, or Azure Key Vault into Kubernetes Secrets — without embedding secrets in deployment manifests.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-password
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: db-password
  data:
    - secretKey: password
      remoteRef:
        key: /prod/myapp/db_password

This creates a Kubernetes Secret named db-password that is automatically refreshed every hour from AWS Secrets Manager. Developers never see the secret value; pods mount it as an environment variable or file.