0

This question is about the rotation of AWS secrets manager. When creating a secret, you could choose rotation frequency, but I can't figure out how rotation works.

Imagine a scenario like the following.

  1. You create a secret A1 in aws secret manager, and specify the rotation frequency is 30 days.

  2. You encrypt the data with A1.

  3. 30 days later, A1 has been rotated to be A2.

  4. then, you program retrieves AWS secret manager and got the value of A2. How do you decrypt the data that has been encrypted with A1?

enter image description here

Ryan Lyu
  • 4,180
  • 5
  • 35
  • 51
  • 1
    If I understand correctly are you storing an encryption key in your Secrets Manager? – Chris Williams Jun 11 '20 at 15:06
  • I use secret manager to store access_token, app_secret, most of them don't need to be rotated. I am curious about the usage of aws secret manager rotation. In which case, it will be used? – Ryan Lyu Jun 11 '20 at 15:14
  • 1
    I have attached an answer explaining the use cases, as well as expanding on encryption in AWS – Chris Williams Jun 11 '20 at 15:29

2 Answers2

2

Secrets Manager rotation is primarily used for API keys or passwords.

Your encrypted values are stored in the Secrets Manager secret, but the encryption key itself is stored in KMS.

When the rotation occurs, these values are replaced by the same KMS customer master key will be used to encrypt the new value.

If you're ever wanting to store an encryption key you would use either AWS KMS, or AWS CloudHSM (if your organisation has specific regulatory requirements or wants to invest in a dedicated HSM).

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
1

You should use KMS for storing encryption keys, not Secrets Manager. You can rotate encryption keys in KMS while keeping the old keys available.

Secrets Manager is for things like passwords, where rotation involves updating an account to have a new password, and the old password would be no longer needed.

Mark B
  • 183,023
  • 24
  • 297
  • 295