4.2 KiB
title, type, source-type, category, tags, date-added, video-source, audio-source, status
| title | type | source-type | category | tags | date-added | video-source | audio-source | status | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CTP Topic 62 AWS Secrets Manager | cloud-learning | video | DevOps & SRE/07_Security |
|
2026-04-14 | nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 62_ AWS Secrets Manager.mp4 | summarized (Gemini 摘要) |
CTP Topic 62 AWS Secrets Manager
Source: NAS /volume2/work/Public Cloud Learning Sessions/CTP _ Topic 62_ AWS Secrets Manager.mp4
Type: VIDEO | Category: 07_Security
Status: 🟡 Awaiting Whisper transcription → Summary
摘要
AWS Secrets Manager
This session is a follow-up to a session held in July of the previous year. The presenters are Nurit and Daniel. The session covers a summary of the previous learning session, introduces the AWS Secrets Management Standard document, shares implementation opportunities, and provides GitHub links.
The previous session covered the journey of choosing a secrets management platform, with a POC phase for both HashiCorp Vault and AWS Secrets Manager. AWS Secrets Manager was chosen as the more cost-effective solution. AWS Secrets Manager is easy and simple to implement. Missing features can be developed in multiple languages. The next steps included removing clear text passwords and keys from the CI/CD process of Control Tower, sharing code and documentation, and providing an AWS Secrets Management standard document for managing Secrets.
The standard document started as a best practices document and became the standard document for Secrets Management in public cloud. It is based on the implementation done with Control Tower and is aligned with general best practices. The document covers how to use AWS Secrets Manager correctly, with a phased approach: centralize the Secrets, adjust automations to retrieve the Secrets, and then start with secret rotation. With that idea, developers actually do not need to have direct access to their Secrets. The document also outlines the advantages and drawbacks of using AWS Secrets Manager, including cost information, and provides recommendations for Lambda usage and opportunities for custom Secrets management solutions.
Implementation opportunities include improving Control Tower stacks, Oracle DB user password rotation for Control Tower Dev Database, and a POC for a centralized mail service to support send grid key rotation without application restart. The phase approach involves centralizing secrets, automating retrieval, and rotation. Daniel provides a deep understanding of how those opportunities were implemented. Centralizing and working with microservices helps with physical improvement, false isolation, program and language agnostic development, easier deployment, visibility, faster time to market, and the ability to experiment.
The Control Tower stacks were redesigned to centralize parameters and secrets, ensuring that all stacks use the same secret. The database team collaborated to improve password rotation, removing the need to send passwords via email. The new system grants access to the secret by roles through AWS credentials. The solution uses a Lambda function to connect to the Oracle instance and perform the rotation. The centralized email service of Sendgrid aims to solve the problem of multiple teams needing to rotate the Sendgrid API, which often requires code changes and application restarts. The proposed solution centralizes the SMTP service and rotation, offering the service to all teams. The solution involves rotating keys for Sangrid, with the ability to auto-rotate keys or escalate permissions. The SMTP service solution provides the SMTP server on port 1025, allowing accounts to consume the service without being aware of the backend.
Victor demoed logging into an Oracle database without knowing the password, using a JDBC wrapper and AWS SDK to retrieve secrets from Secrets Manager. The username is controlled by the role and access. Secrets can be tagged for classification and access control. AWS Secrets Manager does not require clients, unlike HashiCorp Vault.
关键概念
行动项
相关视频
配对视频笔记链接(生成后填入)
最后更新: 2026-04-14