AWS Security Guide for Beginners: KMS vs. Secrets Manager - When to Use What?

When developing applications, you inevitably encounter sensitive information like database passwords, external API keys, and certificates. Have you ever wondered how to manage this sensitive data properly?

"Well, let me just hardcode it in the source code..." "I'll just write it in a configuration file..." "Setting it as an environment variable should be safe enough, right?"

Wait! This is like writing your password on a sticky note and putting it on your monitor. Anyone can see it!

Fortunately, AWS provides two specialists to solve this problem:

• AWS Secrets Manager: Your Digital Vault
• AWS KMS (Key Management Service): The Master Key Manager

Key Analogy: Think of Secrets Manager as a 'digital vault' that stores your secret information, and KMS as a service that manages the 'master keys' that lock everything, including that vault.

In this guide, we'll clearly explain how these two services differ and which service fits your specific situation.

Secrets Manager: Your Application's 'Digital Vault'

Core Function

Secrets Manager is a service that stores and manages the secret information itself. It safely stores things like database passwords, API keys, and OAuth tokens.

Key Features

1. Storage and Retrieval

You can safely retrieve secret information from your code whenever needed using methods like getSecretValue('myDBPassword').

# Old way (dangerous!)
DATABASE_PASSWORD = "my_super_secret_password123"

# Using Secrets Manager (safe!)
import boto3
client = boto3.client('secretsmanager')
secret = client.get_secret_value(SecretId='prod/database/password')
DATABASE_PASSWORD = secret['SecretString']

2. Automatic Rotation

This is the really cool feature!

Just like how banks change your security card every 30 days, Secrets Manager automatically and safely rotates database passwords. Developers don't need to worry about anything!

3. Granular Access Control

You can manage permissions precisely, like "development team gets access to dev DB passwords only, operations team gets access to production DB passwords only."

When to Use Secrets Manager?

• When your application needs to connect to databases
• When you need to use API keys from external paid services
• When you have passwords that need to be rotated regularly
• When different teams need access to different secrets

KMS (Key Management Service): The 'Master Key' That Locks Everything

Core Function

KMS doesn't manage passwords, but rather specializes in managing and controlling 'encryption keys' that encrypt data.

How Does It Work? - The Double Lock System

Let me explain KMS's Envelope Encryption in simple terms:

Step 1: Create a small key (data key) to encrypt customer data

Step 2: Lock the customer data with that small key

Step 3: Lock that small key again with KMS's master key

Result: You only need to store the encrypted data and the 'small key' locked with the master key!

Original Data
   ↓ (encrypted with Data Key)
[Encrypted Data] + [Plaintext Data Key]
   ↓ (Data Key is encrypted by KMS Master Key)
[Encrypted Data] + [Encrypted Data Key]

Key Characteristics

1. Hardware Security Module (HSM)

KMS keys are generated and managed in AWS's Hardware Security Modules. This is even more secure than bank vaults!

2. Auditing and Logging

All records of "who used which key when" are logged in CloudTrail. This is extremely useful for security audits!

3. Regional Key Management

You can manage keys independently for each AWS region, making it easy to comply with regional data protection regulations.

When to Use KMS?

• When you need to encrypt customer personal information files stored in S3
• When you want to encrypt entire server hard disks (EBS volumes)
• When you need to encrypt large amounts of data
• When you need complete control over encryption keys for regulatory compliance

The Crucial Difference: So What's Really Different Between Them?

Secrets Manager (Digital Vault) vs KMS (Master Key)

What They Manage:

• Secrets Manager: The secret information itself (DB passwords, API keys)
• KMS: The 'encryption keys' that encrypt data

Core Purpose:

• Secrets Manager: Safe storage, retrieval, and rotation of secret information
• KMS: Safe generation, control, and auditing of encryption keys

What They Actually Do:

• Secrets Manager: "Here's your DB password. Come get it when you need it. I'll change it periodically."
• KMS: "I'll create keys to encrypt your data. I'll manage those keys safely."

Representative Use Cases:

• Secrets Manager: Retrieving DB connection info from code
• KMS: Encrypting files uploaded to S3

Pricing:

• Secrets Manager: $0.40 per secret per month + API call costs
• KMS: $1 per key per month + API usage costs

Automation Features:

• Secrets Manager: Automatic rotation
• KMS: Automatic key rotation

Simple Decision Criteria

Ask yourself: "What am I trying to manage?"

• "Text-based passwords or API keys" → Secrets Manager
• Keys to lock files or data" → KMS

Bonus: They're Actually Best Friends Working Together!

Here's an interesting fact!

Secrets Manager's 'digital vault' is locked with KMS's 'master key'!

When you store a password in Secrets Manager, it automatically calls KMS to encrypt that password before storing it.

Password Storage Process:
1. "Store this DB password in Secrets Manager"
2. Secrets Manager: "Hey KMS, encrypt this password for me"
3. KMS: "Sure, here's the encrypted password!"
4. Secrets Manager: "Thanks, stored it safely"

Password Retrieval Process:
1. "Secrets Manager, give me the DB password"
2. Secrets Manager: "KMS, decrypt this encrypted thing for me"
3. KMS: "Checking permissions... OK! Here's the decrypted password!"
4. Secrets Manager: "Here you go!"

In other words, the vault (Secrets Manager) itself is locked once more with a safer master key (KMS)!

Understanding Through Real-World Examples

Scenario 1: E-commerce Website

What you need:
- Payment API keys → Secrets Manager ✓
- Customer personal information files → KMS for S3 encryption ✓
- Database connection info → Secrets Manager ✓
- Server disks → KMS for EBS encryption ✓

Scenario 2: Data Analytics Platform

What you need:
- External data API tokens → Secrets Manager ✓
- Analysis result files → KMS for S3 encryption ✓
- Database connection strings → Secrets Manager ✓

Summary: Just Remember These Two Things!

Remember just these two things:

Secrets Manager: When you want to safely store passwords/API keys that your application will use!

• "When connecting to DB from code"
• "When calling external service APIs"
• "When you have passwords that need regular rotation"

KMS: When you want to encrypt your data or files themselves!

• "Files uploaded to S3"
• "Entire server hard disks"
• "Large databases"

Final Tips

• Start small and gradually expand
• Both services offer limited free tier experience
• Start by applying one service first, then add the other as you get comfortable

Remember these two things, and you can become an AWS security expert!