Episode 32: Password Policies & Secrets Manager
In AWS, protecting access starts with two basic principles: strong password policies and safe secret storage. A password policy defines how strong user credentials must be, while secret management ensures that sensitive information like database passwords and API keys is stored securely. Both elements are critical because weak sign-in practices or poorly managed secrets are common causes of breaches. For the AWS Certified Cloud Practitioner exam, you’ll need to recognize the value of password policies, the role of AWS Secrets Manager, and how these tools help enforce security across the cloud environment.
IAM account password policies define the rules for user passwords in an AWS account. Administrators can require a minimum length, typically twelve or more characters, and mandate complexity such as upper- and lowercase letters, numbers, and special characters. They can also specify expiration periods to enforce periodic rotation. For example, a company might require twelve-character passwords with three character types, rotated every ninety days. On the exam, remember that password policies enforce complexity and length to improve sign-in security.
Rotation is an important posture in any organization. Passwords and secrets that never change increase risk because if they are stolen, they can be abused indefinitely. AWS allows rotation requirements as part of password policies, but organizations often set their own risk-based cadence. High-risk accounts may rotate more frequently than low-risk ones. For the exam, remember that rotation reduces long-term exposure and should be part of both password and secret management.
Preventing password reuse is another key element. AWS policies can require that new passwords differ from previous ones, preventing users from cycling back to old, familiar credentials. Additionally, MFA can be enforced for sensitive tasks like changing root settings or accessing critical resources. Together, these controls make it harder for attackers to exploit stolen passwords. On the exam, remember that password policies can enforce uniqueness, and MFA should be layered on top for critical actions.
Password policies can differ between administrators and end users. Administrative accounts should follow stricter standards, including mandatory MFA, stronger rotation cycles, and longer passwords. End users may have slightly less stringent policies but should still follow strong practices. For the exam, know that admins face tougher requirements because their accounts carry higher risk.
Secrets in AWS go beyond passwords. They include database credentials, API keys, OAuth tokens, and third-party integration keys. If exposed, these secrets can be exploited for unauthorized access to systems or services. For example, an API key hardcoded in code could allow an attacker to access sensitive resources. On the exam, remember that secrets are any sensitive credentials that need secure handling.
AWS Secrets Manager is a service that centralizes secret storage and provides secure retrieval. Instead of embedding secrets in applications, administrators store them in Secrets Manager and grant IAM-controlled access. Applications then call the service to retrieve secrets at runtime. This ensures secrets are encrypted, audited, and rotated automatically. For the exam, know that Secrets Manager is AWS’s primary tool for storing and managing sensitive credentials.
Secrets Manager is often compared with AWS Systems Manager Parameter Store. Parameter Store also provides secure storage, but it’s designed for configuration values as well as secrets. Secrets Manager is more advanced for secret-specific use cases, offering features like automatic rotation. For the exam, remember the high-level distinction: use Secrets Manager for complex secret management and Parameter Store for general configuration values.
Automatic rotation is one of the strongest features of Secrets Manager. It integrates with AWS Lambda to rotate secrets like database passwords automatically. When rotation occurs, the old secret is replaced securely, and the new one is distributed without downtime. For example, Secrets Manager can rotate an RDS database password on a set schedule, ensuring credentials never stay static for long. For the exam, remember that automatic rotation reduces human error and improves secret hygiene.
Secrets in AWS are encrypted with KMS, or Key Management Service. Customers can use AWS-managed keys or their own customer-managed keys. This ensures that even if a secret is stolen from storage, it cannot be read without the encryption key. For the exam, know that Secrets Manager always encrypts secrets with KMS, adding strong cryptographic protection.
Access to retrieve secrets should always follow least privilege. IAM policies can grant access only to the applications or users that require them. For example, a Lambda function handling orders may be allowed to read database credentials from Secrets Manager, but it should not be able to modify or delete them. For the exam, remember that secrets must be retrieved with narrowly scoped IAM permissions.
Auditing secret access is another critical piece. Secrets Manager integrates with CloudTrail to log who retrieved, rotated, or modified secrets. These logs are invaluable for compliance and incident response. If a secret is accessed unexpectedly, logs provide a trail to investigate. On the exam, remember that CloudTrail records secret access for auditing.
Tags and lifecycle management support hygiene in Secrets Manager. Administrators can tag secrets by project, department, or environment, making it easier to manage at scale. Lifecycle policies can also retire or delete old secrets when they are no longer needed. This prevents clutter and reduces the chance of forgotten, stale secrets. For the exam, know that tagging and lifecycle practices improve organization and accountability.
Finally, embedding secrets directly into code, Amazon Machine Images, or repositories is a common mistake. If a secret is hardcoded, it’s likely to leak through version control systems or shared builds. AWS strongly recommends replacing embedded secrets with calls to Secrets Manager or Parameter Store. For the exam, remember that hardcoding secrets is always the wrong answer—secure storage services should be used instead.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Rotating database credentials is one of the most common use cases for AWS Secrets Manager. Databases often rely on usernames and passwords for authentication, and if those passwords remain static, they become high-value targets. With Secrets Manager, rotation can be automated using Lambda. The old password is replaced with a new one, the database is updated, and the application can continue operating seamlessly. This process ensures credentials are never permanent and reduces the chance of compromise. On the exam, remember that Secrets Manager + Lambda enables automatic database credential rotation.
Third-party API keys are another type of secret that benefit from rotation. Many organizations rely on external services for payments, analytics, or messaging. These keys often grant significant access, and if they are exposed, attackers could exploit external services or drain account quotas. With Secrets Manager, these keys can be stored securely, rotated, and provided dynamically to applications when needed. For exam preparation, know that Secrets Manager is not only for AWS services but also for managing third-party credentials.
Cross-account secret access is possible when applications in one AWS account need to use secrets stored in another. For example, a central security account might manage all secrets, while workloads in separate accounts retrieve them securely. This is achieved by granting cross-account IAM roles and attaching resource-based policies to the secrets. On the exam, remember that cross-account sharing centralizes secret management while still maintaining tight access control.
Private access to Secrets Manager can be enforced through VPC endpoints. This means that applications inside private subnets can retrieve secrets without traversing the public internet. For sensitive workloads, this reduces exposure and adds an additional layer of control. On the exam, remember that using VPC endpoints keeps secret retrieval private and secure within AWS networking.
Dual-control and key separation strengthen governance for secrets. For example, Secrets Manager encrypts secrets with KMS, and administrators can configure policies so that one team manages the encryption keys while another manages the secrets themselves. This separation ensures no single group has unchecked control. For the exam, know that KMS and Secrets Manager can be combined for dual-control models.
Break-glass secrets are reserved for emergencies. These are highly privileged credentials that are tightly controlled and require extra approvals before use. They might be stored in Secrets Manager but only retrieved under strict incident response conditions. For example, if automated systems fail, a break-glass secret may be needed to restore access. On the exam, remember that break-glass access is rare, controlled, and always audited.
CI/CD pipelines often pull secrets at deploy time. For example, when deploying an application to ECS or Lambda, the pipeline retrieves database credentials or API keys from Secrets Manager. This eliminates the need to hardcode secrets in code or configuration files. On the exam, remember that modern DevOps practices integrate Secrets Manager directly into automation pipelines.
CloudFormation and dynamic references provide another integration point. Instead of embedding passwords in CloudFormation templates, administrators can reference secrets dynamically at deployment. The template retrieves the value at runtime without exposing it in plain text. For the exam, know that CloudFormation dynamic references prevent secrets from appearing in infrastructure-as-code.
Containers and serverless functions also rely on secret injection. ECS tasks, EKS workloads, and Lambda functions can pull secrets from Secrets Manager at runtime. This means images and functions remain clean of sensitive data, and secrets are delivered only when needed. On the exam, remember that Secrets Manager integrates directly with containerized and serverless workloads.
Onboarding and deprovisioning workflows should also tie into secret management. When a new service or employee is onboarded, the necessary secrets should be provisioned automatically with access controls. When someone leaves or a system is decommissioned, their secrets must be revoked or rotated immediately. For the exam, know that secret management must align with lifecycle events for both users and systems.
Cost awareness is part of managing Secrets Manager. AWS charges per secret per month, and also per API call to retrieve a secret. While costs are modest at small scale, large organizations with thousands of secrets must monitor usage. Some workloads may benefit from caching secrets to reduce retrieval calls. For the exam, remember that Secrets Manager has a per-secret, per-call cost structure.
From an exam perspective, the key takeaway is to pair IAM policies with secret management tools. Password policies enforce strong sign-in credentials, while Secrets Manager enforces secure handling of database and application credentials. Together, they reduce the risk of compromise. On the exam, expect questions contrasting poor practices, like hardcoding secrets, with good practices, like storing them in Secrets Manager.
An operational playbook for secret hygiene should include enforcing password policies, rotating secrets regularly, auditing secret access with CloudTrail, and removing unused secrets. It should also include steps for emergency access, cost monitoring, and integrating secrets into DevOps pipelines. This playbook ensures organizations don’t just set up secrets once but manage them continuously. On the exam, know that operational discipline is as important as technical tools.
As we close this episode, remember the two key principles: enforce strong passwords and centralize secret management. Password policies prevent weak user credentials, while Secrets Manager ensures sensitive data like database logins and API keys are stored, encrypted, rotated, and audited properly. For the exam, focus on recognizing that AWS provides both policy-level and tooling-level solutions. In practice, combining the two creates resilient defenses that protect organizations against one of the most common causes of breaches—compromised credentials.
