AWS Secrets Manager vs AWS KMS (Key Management Service)
Both AWS Secrets Manager and AWS Key Management Service (KMS) are used for security and encryption, but they serve different purposes.
| Feature | AWS Secrets Manager | AWS KMS (Key Management Service) |
|---|---|---|
| Purpose | Manages and rotates sensitive secrets (passwords, API keys, database credentials, etc.) | Manages and controls cryptographic keys for encryption and decryption |
| Use Case | Storing, retrieving, and auto-rotating secrets securely | Encrypting and decrypting data, signing messages, managing encryption keys |
| Encryption | Secrets are encrypted using KMS keys | Provides encryption keys for services like S3, EBS, RDS, etc. |
| Automatic Rotation | Supports automatic rotation of secrets (database credentials, API keys) | No automatic rotation for keys (must be rotated manually or via policies) |
| Integration | Used with RDS, Redshift, Lambda, API Gateway, etc. | Used with S3, EBS, Lambda, CloudTrail, DynamoDB, etc. |
| Cost Model | Charged per stored secret + API calls | Charged per API call + key usage fees |
| Access Control | IAM policies + fine-grained resource-based permissions | IAM policies + grants and key policies |
| Retrieval | Uses AWS SDK, CLI, or Secrets Manager API to fetch secrets | Used for encryption/decryption API calls |
When to Use Which?
- Use AWS Secrets Manager if you need to securely store and automatically rotate secrets like database passwords, API keys, or OAuth tokens.
- Use AWS KMS if you need to encrypt/decrypt data at rest or control encryption keys for EBS, S3, or RDS.
Summary: How Key Rotation Works in Different S3 Encryption Methods
| Encryption Type | Key Managed By | Key Rotation Method |
|---|---|---|
| SSE-S3 (S3-managed) | AWS S3 | Automatic every year |
| SSE-KMS (AWS KMS) | AWS KMS | Automatic (if enabled) or Manual |
| SSE-C (Customer-provided) | Customer | Manual (Re-encrypt objects) |
