We close the security chapter with a very practical problem we've been postponing: where do you store your application's secrets? Database passwords, API keys, tokens... they can't be written in the code or in versioned .tfvars files (as we warned in subchapter 19.4). AWS offers two services to store them securely: Secrets Manager and Parameter Store. Let's see what they are and when to use each one.
The problem: secrets can't go in the code
Every application needs secrets: sensitive data that gives it access to other systems. For example, the password to connect to its database. The beginner's mistake is to put them directly in the code or configuration:
❌ BAD: password = "MyPassword123" written in the code or in Git → anyone with access to the repository sees the secret → it remains in the Git history forever → a security disaster waiting to happen
Remember what we saw in subchapter 19.4: never write secrets in versioned files. The solution is to store them in a secret manager and have the application read them at the moment it needs them.
The idea: store the secret externally and read it on demand
A secret manager stores sensitive data encrypted and with controlled access. The application, when it starts or when it needs to, requests the secret from the manager (proving it has permission) and receives it. The secret is never written in the code.
Application ──"give me the DB password"──► Secret manager (encrypted)
◄──── the password (if you have permission) ───
→ the secret is NOT in the code, it is obtained at the momentSecrets are encrypted with KMS (subchapter 23.5) and access is controlled with IAM (Chapter 7), applying the least privilege principle: only the application that needs a secret has permission to read it.
The two AWS options
AWS offers two services for this, and it's important to know the difference:
Secrets Manager
Secrets Manager is specifically designed for secrets (passwords, API keys, credentials). Its standout feature is automatic rotation: it can automatically change passwords periodically, integrating with databases like RDS to update the password both in the secret and in the database, without interruptions.
Secrets Manager: ✓ designed for secrets ✓ AUTOMATIC ROTATION of credentials (its big advantage) ✓ native integration with databases (RDS...) - has a cost per secret
Parameter Store
Parameter Store (part of AWS Systems Manager) is a more general service for storing configuration parameters, which can also store secrets (as "secure strings" encrypted with KMS). It's more simple and its basic use is free, but it does not offer the automatic rotation of Secrets Manager.
Parameter Store: ✓ stores configuration AND secrets (as encrypted "SecureString") ✓ its standard tier is FREE ✓ simple and versatile - NO integrated automatic rotation
Comparison table
| Secrets Manager | Parameter Store | |
|---|---|---|
| Designed for | Specifically for secrets | General configuration (and secrets) |
| Automatic rotation | Yes (its big advantage) | No |
| DB integration | Native (RDS, etc.) | No |
| Cost | Paid (per secret) | Free standard tier |
| Ideal for | Credentials that must be rotated | Simple configuration and secrets |
Analogy: Parameter Store is like a general safe where you keep important documents and also some jewelry; it works, it's cheap and versatile. Secrets Manager is like a specialized safe for extremely valuable jewels, with an extra service that periodically changes the combination for you (rotation). It costs more, but for your most critical secrets, that rotation service is worth it.
Which one should I choose?
The decision mainly depends on whether you need automatic rotation and the cost:
- Use Secrets Manager when: you need automatic rotation of credentials (especially database passwords), or you want its native integration with RDS. It's the most robust option for critical secrets.
- Use Parameter Store when: you want a simple and free option to store configuration and secrets that don't need automatic rotation, or you're just starting out and want to minimize costs.
To start: Parameter Store (free tier) is perfect for securely storing your first configurations and secrets. When you handle critical credentials that must be rotated (like in production with sensitive databases), move up to Secrets Manager.
How to use it with Terraform and applications
The usual pattern connects everything we've learned:
1. The secret is stored in Secrets Manager / Parameter Store (encrypted with KMS) 2. The application (or Terraform) READS it at the moment, with IAM permissions 3. The secret NEVER appears in the code or in Git
For example, Terraform can read an existing secret with a data block (remember the data sources from subchapter 14.2) instead of having it written. And an application in a Lambda or a container requests the secret at startup. ⚠️ Remember (from subchapter 11.2) that if Terraform reads a secret, it may end up in the state, so the state must be encrypted and protected.
Real world example: an application needs to connect to its production database. The password is stored in Secrets Manager with monthly automatic rotation. The application, at startup, requests the password from Secrets Manager (it has IAM permission for that specific secret, and for no other). When Secrets Manager rotates the password, it updates both the secret and the database, and the application simply requests the new one again: all without any human ever seeing or writing the password. If an attacker got the application's code, they would not find any password in it.
What you should remember
- Secrets (passwords, API keys, tokens) should never go in the code or in versioned files; they are stored in a secret manager and the application reads them at the moment, with permissions.
- Secrets are encrypted with KMS (subchapter 23.5) and access is controlled with IAM (least privilege).
- Secrets Manager: designed for secrets, with automatic credential rotation (its big advantage) and native database integration; paid.
- Parameter Store: general service for configuration and secrets (as encrypted strings), simple and with a free tier, but without automatic rotation.
- Choose Secrets Manager if you need automatic rotation (critical credentials, production DB); Parameter Store for simple and free use. To start, Parameter Store is enough.
- Pattern: the secret lives in the manager (encrypted), the app/Terraform reads it with IAM, and it never appears in the code. ⚠️ If Terraform reads it, protect the state (which may contain it).
You've finished Chapter 23! You now master defense-in-depth security in AWS: organizational boundaries, compliance, threats, centralized vision, encryption, and secrets. In Chapter 24 we'll see the other essential side of operating in production: observability (logs, metrics, and traces).
Cloud, AWS & Terraform — From Zero to Expert
Chapter 1 · What is cloud computing
- 1.1 The traditional client-server model
- 1.2 Problems the cloud came to solve
- 1.3 On-premise vs cloud vs hybrid
- 1.4 The three service models: IaaS, PaaS, SaaS
- 1.5 The five pillars of cloud (according to NIST)
- 1.6 Real advantages: elasticity, pay-as-you-go, global availability
Chapter 2 · The cloud market and major providers
- 2.1 AWS, Azure and GCP: differences and market share
- 2.2 Why learn AWS first
- 2.3 Concepts that are universal among providers
Chapter 3 · Regions, availability zones and edge
- 3.1 What is an AWS region and how to choose it
- 3.2 Availability Zones: high availability by design
- 3.3 Edge locations and CloudFront
- 3.4 Latency, resilience and data sovereignty
Chapter 4 · Compute: EC2
- 4.1 Instances: types, families and when to choose each
- 4.2 AMIs, key pairs and Security Groups
- 4.3 Instance lifecycle
- 4.4 Elastic IPs and Placement Groups
- 4.5 Savings Plans vs Reserved vs On-Demand vs Spot
Chapter 5 · Storage: S3
- 5.1 Buckets, objects and keys
- 5.2 Storage classes (Standard, IA, Glacier…)
- 5.3 Versioning and object lifecycle
- 5.4 Bucket policies and ACLs
- 5.5 Static website hosting
Chapter 6 · Networking: VPC
- 6.1 What is a VPC and why you need it
- 6.2 Public and private subnets
- 6.3 Internet Gateway and NAT Gateway
- 6.4 Route Tables and Network ACLs
- 6.5 VPC Peering and endpoints
Chapter 7 · Identity and access: IAM
- 7.1 Users, groups, roles and policies
- 7.2 The principle of least privilege
- 7.3 Identity-based vs resource-based policies
- 7.4 MFA and temporary credentials (STS)
- 7.5 IAM security best practices
Chapter 8 · Managed databases
- 8.1 RDS: engines, Multi-AZ and read replicas
- 8.2 Aurora and its advantages over vanilla RDS
- 8.3 DynamoDB: key-value / document model
- 8.4 ElastiCache for in-memory cache
- 8.5 When to use each type of database
Chapter 9 · Why Infrastructure as Code
- 9.1 Problems with manual provisioning
- 9.2 Declarative vs imperative IaC
- 9.3 Terraform vs CloudFormation vs Pulumi vs CDK
- 9.4 The plan → apply → destroy cycle
Chapter 10 · HCL: the Terraform language
- 10.1 Resource, variable, output, locals blocks
- 10.2 Data types: string, number, bool, list, map, object
- 10.3 Expressions, references and built-in functions
- 10.4 Conditionals and loops (count, for_each, for)
Chapter 11 · Providers and state
- 11.1 How the AWS provider works
- 11.2 The terraform.tfstate file and its importance
- 11.3 Local state vs remote state (S3 + DynamoDB)
- 11.4 Essential commands: init, plan, apply, destroy, fmt, validate
Chapter 12 · Your first real infrastructure in Terraform
- 12.1 Create a VPC with subnets from scratch
- 12.2 Launch a public EC2 instance
- 12.3 Associate a Security Group and an Elastic IP
- 12.4 Outputs and references between resources
- 12.5 Team workflow: PR review of plans
Chapter 13 · Load balancing and auto scaling
- 13.1 Application Load Balancer vs Network Load Balancer
- 13.2 Target Groups, listeners and rules
- 13.3 Auto Scaling Groups: policies and metrics
- 13.4 Warm pools and lifecycle hooks
Chapter 14 · Serverless with Lambda
- 14.1 The Lambda execution model
- 14.2 Triggers: API Gateway, S3, DynamoDB Streams, SQS
- 14.3 Dependency management and layers
- 14.4 Cold starts and strategies to reduce them
- 14.5 Limits and anti-patterns
Chapter 15 · Messaging and events
- 15.1 SQS: standard vs FIFO queues, DLQ
- 15.2 SNS: topics, subscriptions, fan-out
- 15.3 EventBridge: event buses and rules
- 15.4 Patterns: pub/sub, decoupling, saga
Chapter 16 · Content delivery and DNS
- 16.1 Route 53: record types and routing policies
- 16.2 CloudFront: distributions, caches and origins
- 16.3 ACM: free SSL/TLS certificates
- 16.4 WAF integrated with CloudFront
Chapter 17 · Containers on AWS
- 17.1 Docker: quick review of key concepts
- 17.2 ECR: private image registry
- 17.3 ECS: task definitions, services, Fargate vs EC2
- 17.4 EKS: when Kubernetes and when not
Chapter 18 · Modules: reuse and composition
- 18.1 Anatomy of a Terraform module
- 18.2 Input variables, outputs and dependencies
- 18.3 Local modules vs Terraform Registry modules
- 18.4 Module versioning with Git tags
- 18.5 Design of generic vs domain-specific modules
Chapter 19 · Workspaces and environment management
- 19.1 Terraform workspaces: use cases and limitations
- 19.2 Directory strategy per environment (dev/stg/prod)
- 19.3 Terragrunt: DRY for environment configurations
- 19.4 Environment variables and .tfvars files
Chapter 20 · Remote backends and locking
- 20.1 Configure S3 + DynamoDB as backend
- 20.2 State locking: avoiding team corruption
- 20.3 State migration between backends
- 20.4 terraform import: bring existing resources into state
Chapter 21 · Infrastructure testing
- 21.1 Terraform validate and fmt in CI
- 21.2 Checkov and tfsec: static security analysis
- 21.3 Terratest: integration tests in Go
- 21.4 Contract testing between modules
Chapter 22 · Terraform in CI/CD
- 22.1 Basic pipeline: lint → plan → apply in GitHub Actions
- 22.2 Atlantis: GitOps for Terraform
- 22.3 Terraform Cloud / HCP Terraform
- 22.4 Drift detection and automatic reconciliation
Chapter 23 · Defense in depth
- 23.1 AWS Organizations and Service Control Policies
- 23.2 AWS Config: continuous compliance
- 23.3 GuardDuty: threat detection
- 23.4 Security Hub: centralized view
- 23.5 KMS: key management and rotation
- 23.6 Secrets Manager vs Parameter Store
Chapter 24 · Observability: logs, metrics and traces
- 24.1 CloudWatch Logs, metrics and alarms
- 24.2 CloudWatch Dashboards and Contributor Insights
- 24.3 X-Ray: distributed tracing
- 24.4 OpenTelemetry on AWS
- 24.5 Managed Grafana and Managed Prometheus
Chapter 25 · Cost optimization
- 25.1 AWS Cost Explorer and budgets with alerts
- 25.2 Trusted Advisor and Compute Optimizer
- 25.3 Rightsizing: how to detect overprovisioning
- 25.4 Savings Plans vs Reserved Instances: strategic decision
- 25.5 FinOps: culture and processes to control spending
Chapter 26 · High availability and disaster recovery
- 26.1 RTO and RPO: defining objectives
- 26.2 Strategies: backup/restore, pilot light, warm standby, multi-site
- 26.3 Route 53 health checks and automatic failover
- 26.4 AWS Backup: centralized backup policy
Chapter 27 · AWS Well-Architected Framework
- 27.1 The six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability
- 27.2 Well-Architected Tool: formal reviews
- 27.3 How to apply the framework in design decisions
Chapter 28 · Serverless architectures at scale
- 28.1 Event-driven architecture with Lambda + EventBridge
- 28.2 Saga pattern for distributed transactions
- 28.3 Step Functions: orchestration of complex workflows
- 28.4 Lambda@Edge and CloudFront Functions
Chapter 29 · Data platforms on AWS
- 29.1 Data Lake with S3, Glue and Athena
- 29.2 Kinesis Data Streams and Firehose for streaming
- 29.3 Redshift: data warehousing at scale
- 29.4 Lake Formation: data governance
Chapter 30 · Multi-account and landing zones
- 30.1 Why separate workloads into different accounts
- 30.2 AWS Control Tower and Account Factory
- 30.3 Centralized log and security management
- 30.4 Terraform at multi-account scale with shared modules
Chapter 31 · Platform Engineering and Internal Developer Platform
- 31.1 Golden paths and abstractions over Terraform
- 31.2 AWS Service Catalog
- 31.3 Backstage as a developer portal
- 31.4 Terraform modules as internal product
Chapter 32 · Relevant AWS certifications
- 32.1 Cloud Practitioner: is it worth it?
- 32.2 Solutions Architect Associate → Professional
- 32.3 DevOps Engineer Professional
- 32.4 Specialty: Security, Database, Networking
- 32.5 HashiCorp Terraform Associate
Chapter 33 · Projects to consolidate what you've learned
- 33.1 Project 1: serverless blog (S3 + CloudFront + Lambda + DynamoDB)
- 33.2 Project 2: REST API with ECS Fargate + RDS + ALB
- 33.3 Project 3: data platform with Glue + Athena + Redshift
- 33.4 Project 4: multi-account landing zone with Terraform and Control Tower