Skip to content


Secrets Manager

Service which securely stores, encrypt and rotates DB credentials and other secrets
  • Encryption in transit and at rest using KMS
  • Automatically rotates credentials
  • Apps can make API calls to Secrets Manager to retrieve secrets programmatically
  • Apply fine grained access control using IAM policies:

    Policy Type Effect
    • You can grant access to many secrets for the same identity
    • Useful when setting up an IAM role that requires access to more than one secret
    • Grant access to multiple principals to a secret
  • Automatic secrets rotation:

    • The rotation process takes advantage of AWS Lambda functions to orchestrate the secret rotation process
    • The following database services support automatic secrets rotation:
      • RDS (Aurora, MySQL, PostgreSQL, Oracle, MariaDB, Microsoft SQL Server)
      • DocumentDB
      • Redshift

Comparison with Parameter Store:

Secrets Manager Parameter Store
Database credentials, API/SSH keys Password, DB strings, license codes, parameter values, config data
Built-in integration with RDS (MySQL, PostgreSQL, Aurora) User defined parameters
Built-in rotation of RDS secrets, support for non-RDS using Lambda Values may be clear text or encrypted
Charged: $0.40 secret/pcm + $0.05 per 10,000 API calls No additional charge
Integrated with Secrets Manager

Systems Manager (SSM)


Category Description
Operations Management
  • Understanding the current state of your environment and how its components are performing
  • Covers features such as Explorer, OpsCenter, CloudWatch Dashboard, and Personal Health Dashboard (PHD)
Application Management
  • Administration of applications that are distributed along several components and AWS accounts
  • Group resources of different types together based on a query (e.g. an application)
  • Inventory: applications, files, network configurations, Windows services, registries, etc.
  • Many features require the Agent installed (EC2 instances need an instance profile for a role that has the necessary permissions to allow the agent to interact with SSM)
Actions & Change Allows to specify a sequence of actions to be executed on your managed instances and how to control its execution
Instances & Nodes Manage instances and nodes at scale


Run Command
  • Manages a fleet of EC2 at scale, without having to login to each instance
  • Commands can be applied to a group of systems based on AWS instance tags or by selecting manually
  • SSM agent needs to be installed on all your managed instances
  • Integrations
    • Logs via CloudTrail
    • Can be triggered by CloudWatch Events
Session Manager
  • Browser based shell w/ IAM & CloudTrail
  • Can log session data to S3 and/or CloudWatch Logs
Parameter Store
  • Pass confidential information to EC2 as a bootstrap script
  • Types
    • String (plain text)
    • String List (plain text)
    • Secure String: encrypts data using KMS
  • Can be tagged + organized in a hierarchy
  • KMS for encryption (users need KMS permissions to use the corresponding CMK)
State Manager
  • Establishes the instance's desired state (via an association) and the actions to bring the instance to that desired state (OS configuration, rollout schedule, compliance reporting)
  • An association also defines which instances are covered by this desired state and a schedule to periodically execute the checks
  • Example: ensure that the antimalware is running → if it's not installed, State Manager will install it automatically, and if it's not running, State Manager will start the service
Patch Manager
  • Keeps instances and nodes in the desired state regarding OS and application patches
  • Patching configuration:
    • desired state for patching (a patch baseline with rules and definitions on which patches an instance should have)
    • target list of instances
    • schedule for patching
    • whether a specific maintenance window applies
  • To execute the patching actions
    • RunCommand (for a single execution)
    • MaintenanceWindows (when periodically scheduled)
Compliance Shows the current adherence status both for State Manager and Patch Manager
  • Aggregates operational issues, provides tools for diagnosis, and helps accelerate the resolution of those issues by allowing the automation of tasks through SSM automations
  • It's not recommended that you send security issues to OpsCenter to be centralized (you should use Security Hub instead)