Why architecture matters here

Secrets Manager fails when rotation Lambda breaks + no monitoring. Architecture matters because versions + Lambda + audit compose.

Advertisement

The architecture: every piece explained

The top strip is basics. Secret create. Versions. GetSecretValue. IAM + resource policy.

The middle row is rotation. Rotation Lambda. Auto-generate password. Multi-region. Encryption.

The lower rows are ops. CloudTrail audit. Cost. Ops — rotation drill + recovery + monitoring.

AWS Secrets Manager — versions + rotation + Lambda + auto-generated + auditmanaged secrets service with rotationSecret createseededVersionsAWSCURRENT / PREVIOUS / PENDINGGetSecretValueapp read APIIAM + resource policyaccessRotation Lambdacustom or templateAuto-generate passwordcomplexity policyMulti-regionreplicateEncryptionKMS defaultCloudTrail auditevery accessCostper secret + per API callOps — rotation drill + recovery + monitoringrotategenreplicateencryptlogbudgetbudgetoperateoperate
AWS Secrets Manager lifecycle with rotation Lambda.
Advertisement

End-to-end flow

End-to-end: DB password secret rotates every 30 days. Lambda updates DB user password → sets AWSPENDING → tests → promotes to AWSCURRENT. App uses GetSecretValue with in-memory caching. Multi-region replica available for DR.