AWS Secrets Manager vs KMS: Differences & Synergies

October 26, 2023

min

AWS Secrets Manager and Key Management Service (KMS) are services offered by Amazon Web Services (AWS) that play distinct roles in managing and securing sensitive information within your applications. Unpacking the AWS Secrets Manager vs KMS topic can be tricky. The tools are related and work together, but their use cases and functionality are different.

This article will explain how these products integrate into a well-designed cloud architecture, essential best practices, and how third-party tools can address use cases these native AWS tools cannot.

AWS Secrets Manager vs. KMS: A summary of key concepts

The table below summarizes the similarities and differences in AWS Secrets Manager vs KMS. The sections later in this article will explore these topics in more detail.

Concept	AWS Secrets Manager	AWS KMS
Primary use cases	Focuses on secret storage and rotation.	Focuses on Encryption key creation and management.
Complementary use cases	Store configuration parameters and secrets required by your applications in Secrets Manager. Use KMS to encrypt sensitive configuration data stored in Secrets Manager, providing an extra layer of security.	Multi-layer security uses KMS to encrypt data across your applications at rest and in transit. It utilizes Secrets Manager to ensure application secrets are securely managed and rotated regularly.
Pricing model	Monthly charges apply for each secret and the cost associated with API call usage.	Per key per month, with a tiered usage fee by region.
Benefits	Simplifies the management of sensitive credentials, enhancing security through automated rotation.	Offers a solution for managing encryption keys, ensuring the security of your data, and simplifying the implementation of encryption across your AWS environment.
Limitations	Regional service, no built-in global replication or cross-region replication, and doesn't provide detailed version history or tracking for secrets.	Regional service, no built-in global or cross-region replication, only supports a predefined set of encryption algorithms and does not allow you to export the plaintext key material from the service.
Access management considerations	Use AWS Identity and Access Management (IAM) policies to control who can create, access, and manage secrets in AWS Secrets Manager. Create policies that grant the least privilege necessary.	Use Key policies to control who can manage and use KMS keys. Key policies are separate from IAM policies and provide more granular control over Key operations.
Initial setup instructions	Setting up AWS Secrets Manager using the AWS CLI. Example: Using Terraform to set up and create secrets with Secrets Manager.	Set up AWS KMS using the AWS CLI. Example: Using Terraform to set up and create keys with KMS.
Best practices	Following these best practices will help you maintain the confidentiality and integrity of your sensitive information stored in AWS Secrets Manager.	By adhering to best practices, you can ensure the secure management and utilization of cryptographic keys using AWS Key Management Service.

AWS Secrets Manager vs KMS: Primary use cases

AWS Secrets Manager and KMS services work together to provide a comprehensive approach to securing both your access to resources and your data's confidentiality.

The role of AWS Secrets Manager

The primary purpose of AWS Secrets Manager is to securely store, manage, and rotate sensitive information, such as passwords, API keys, tokens, and other credentials, used by your applications, services, and databases. It helps you avoid hardcoding these secrets in your codebase, reducing the risk of exposure due to accidental leaks or vulnerabilities. Secrets Manager automatically rotates specific types of secrets, ensuring it updates credentials for improved security. It also offers centralized access control and auditing capabilities to monitor who accesses and manages secrets.

The role of KMS

The primary purpose of KMS is to manage cryptographic keys used for encrypting and decrypting your data. KMS provides a centralized and scalable solution for key management, allowing you to secure your data at rest and in transit across various AWS services and applications. It offers encryption key creation, storage, rotation, and access controls. KMS encrypts data in databases, storage services, and applications.

AWS Secrets Manager vs. KMS: Complementary use cases

Given how they work, there are multiple complementary use cases for AWS Secrets Manager and KMS. Let’s take a look at two practical examples.

Storing and rotating database credentials

Credential rotation is a key aspect of credential management. Here is how AWS Secrets Manager and KMS can help.

Secrets Manager: Use Secrets Manager to securely store and automatically rotate database passwords, connection strings, and other sensitive credentials. Reducing the risk of long-lived credentials compromise.
KMS: Use KMS to encrypt the database credentials stored in Secrets Manager. Adding a layer of security ensures that even if the Secrets Manager data store is compromised, the credentials remain encrypted.

Multi-layer security

Defense-in-depth is essential for a strong security posture. Secrets Manager and KMS can help organizations implement multi-layer security and reduce risk.

Secrets Manager: Utilize Secrets Manager to ensure sensitive application secrets are managed securely and rotated regularly, reducing the risk of unauthorized access.
KMS: Use KMS to encrypt data at rest and in transit across your applications.

AWS Secrets Manager vs KMS: Pricing model

Price is essential to determining a tool’s feasibility in a given environment. The sections below break down AWS Secrets Manager vs. KMS pricing at the time of this writing. Pricing is subject to change. Please refer to Amazon AWS documentation for current pricing.

AWS Secrets Manager pricing

Secrets are $0.40 per secret per month. A replica secret is considered a distinct secret and billed at $0.40 per monthly replica. For secrets stored for less than a month, the price is prorated based on the number of hours. There is also an additional $0.05 per 10,000 API calls a month. For further details, refer to the AWS pricing calculator.

AWS KMS pricing

Each AWS KMS key you create in AWS KMS costs $1/month (prorated hourly). The $1/month charge is the same for symmetric, asymmetric, HMAC, and multi-region keys (each primary and each replica multi-region key). Suppose you enable automatic key rotation; each newly generated backing key costs an additional $1/month (prorated hourly). This fee covers the cost to AWS KMS for retaining all versions of the key material.

AWS Secrets Manager vs KMS: Benefits

AWS Secrets Manager and KMS provide different business benefits, given their functionality and use cases. Let’s take a closer look at the benefits of each of these AWS tools.

AWS Secrets Manager benefits

AWS Secrets Manager helps streamline and secure secrets management workflows. Here are seven of the core benefits of Secrets Manager:

Centralized management: AWS Secrets Manager provides a centralized location to manage, rotate, and retrieve sensitive credentials across your applications and services.
Automated rotation: One of the key features of AWS Secrets Manager is automatic secret rotation.
Increased security: Secrets are encrypted using AWS Key Management Service (KMS), providing strong encryption to protect sensitive data at rest and in transit.
Access control: Secrets Manager allows you to control access to secrets using AWS IAM policies.
Auditing and logging: Secrets Manager provides logging capabilities that allow you to track when secrets were accessed, rotated, or modified.
High availability and durability: Secrets stored in AWS Secrets Manager benefit from AWS infrastructure's high availability and durability.
Simplified compliance: AWS Secrets Manager helps you meet compliance requirements by providing secure and auditable handling of sensitive data.

AWS KMS benefits

AWS KMS offers its own unique but somewhat overlapping benefits. Here are seven AWS KMS benefits.

Centralized key management: AWS KMS provides a centralized and scalable way to manage cryptographic keys across various AWS services and applications.
Strong security and encryption: AWS KMS allows you to encrypt data using industry-standard cryptographic algorithms.
Integrated with AWS Services: AWS KMS integrates with various AWS services, such as Amazon S3, Amazon RDS, Amazon EBS, Amazon Redshift, and more.
Granular access control: With AWS KMS, you can define fine-grained access policies using AWS Identity and Access Management (IAM).
Key rotation: AWS KMS supports key rotation, allowing you to automatically or manually rotate encryption keys regularly.
Custom Key Store: AWS KMS enables you to create and manage custom key stores, which provide greater control over where your keys are stored.
Auditing and logging: AWS KMS provides logs that track key usage and management activities.
Compliance and certifications: AWS KMS enables you to meet various compliance requirements, including HIPAA, PCI DSS, and others.

Limitations of AWS Secrets Manager and KMS

AWS Secrets Manager and KMS are valuable tools for organizations that use AWS services, but they have several shortcomings. The sections below break down some of the most significant limitations of these two popular AWS services.

AWS Secrets Manager limitations

While AWS Secrets Manager offers many benefits, it also has some limitations organizations should consider. Here are the eleven most notable AWS Secrets Manager limitations:

Bound to a region: AWS Secrets Manager is a regional service, meaning the secrets you create are specific to a particular AWS region.
No Global replication: Unlike some other AWS services, Secrets Manager has no built-in global or cross-region replication.
Costs: The cost of using Secrets Manager can accumulate, especially if you're frequently rotating secrets or using them in many applications.
No versioning for secrets: While Secrets Manager supports secret versioning, it's worth noting that it doesn't provide detailed version history or tracking for secrets.
Lack of local development and IDE support: The absence of local development and IDE support burdens developers.
Limited integration outside of AWS: While Secrets Manager integrates well with AWS services, hybrid-cloud environments will require additional effort.
Lack of organizational structures: AWS Secrets Manager has no inherent organizational structure like projects or environments. This limitation leads to disorganization and inconsistent path naming conventions.
Lambda functions are required for custom rotation: If you want to implement custom rotation for secrets not natively supported by Secrets Manager, you'll need to use AWS Lambda functions.
Limited usage control for rotations: While Secrets Manager offers automated rotation for certain types of secrets, you might need more control over the rotation process, which could be a concern in scenarios where specific rotation policies are required.
Resource limits: There are limits on the number of secrets you can create and the data size associated with each secret. Ensure that these limits align with your application's requirements.
Creates dependencies on AWS services: This might be fine if your organization relies solely on AWS. However, Relying heavily on AWS services like Secrets Manager could introduce dependencies if you have a multi-cloud or hybrid cloud strategy.

How to overcome AWS Secrets Manager limitations

It's essential to carefully consider these limitations when evaluating whether AWS Secrets Manager is the right solution for your use cases. Third-party solutions like Doppler can act as the single source of truth across your tech stack, overcoming many of the mentioned limitations without losing any of the native AWS functionality required for applications hosted in AWS.

AWS KMS limitations

Despite offering robust encryption key management, AWS KMS has some limitations organizations should consider before leveraging the popular tool. Here are the seven most notable AWS KMS limitations:

Bound to a region: Like AWS Secrets Manager, AWS KMS is a regional service, meaning the keys you create are limited to a specific AWS region.
No cross-region replication: While AWS KMS supports multi-region keys for disaster recovery, it doesn't offer automatic cross-region replication of keys.
No custom algorithms: AWS KMS supports a predefined set of encryption algorithms. If your use case requires a custom algorithm, something other than AWS KMS might be suitable.
Key length limitations: The cryptographic algorithms that AWS KMS can handle limit the length of symmetric keys.
Pricing complexity: The pricing model for AWS KMS can be complex, as you're charged based on the number of requests you make to the service and key usage. Estimating costs accurately can become difficult due to this factor.
Limited third-party integrations: While AWS KMS integrates seamlessly with many AWS services, integrating it with non-AWS applications or services might require more effort, especially if those services don't have native KMS integration.
Lack of key material exports: AWS KMS does not allow you to export the plaintext key material from the service, which can be a limitation if you need to migrate keys to a different environment.

Despite these limitations, AWS KMS provides a strong foundation for managing encryption keys in the AWS ecosystem, especially when integrated into a multi-platform secrets management system.

Nine essential access management considerations

Managing access to AWS Secrets Manager and AWS KMS is crucial for maintaining the security and integrity of your sensitive data and encryption keys. Here are eight access management considerations for both services:

AWS Organizations: An AWS Organization provides a consolidated way to manage multiple AWS accounts, allowing you to centralize and streamline various aspects of your AWS usage.
IAM policies: Use AWS Identity and Access Management (IAM) policies to control who can create, access, and manage secrets in AWS Secrets Manager. Assign IAM policies to users or roles that need to use KMS keys in their applications.
Fine-grained access: Leverage IAM policy conditions to enforce granular controls, such as restricting access based on specific tags or requiring multi-factor authentication for specific actions.
Resource-level policies: Implement resource-level policies to control access to individual secrets.
Audit logging: Enable AWS CloudTrail to log all API actions related to Secrets Manager. Monitor CloudTrail logs to track who accessed, modified, or rotated secrets.
Key policies: To control who can manage and use KMS keys. Key policies are separate from IAM policies and provide more granular control over key operations.
Key grants: Use key grants to access specific KMS keys without modifying the key policy. Key grants allow granting cross-account access or specific permissions to individual users.
Audit trails: Enable CloudTrail logging for KMS to monitor all key-related API actions.
Limiting administrative access: Use IAM policies to restrict administrative actions on KMS keys to only trusted administrators.

How to use AWS Secrets Manager

The steps below detail how to use AWS Secrets Manager to create and retrieve a secret.

Prerequisite: Install and configure the AWS CLI

Install and configure the AWS CLI with your credentials if you haven't already.

Create a secret

You can use the create-secret command to create a secret using AWS CLI. Here's an example of how to create a secret named "MyDatabaseSecret" with a username and password:

aws secretsmanager create-secret \
--name MyDatabaseSecret \
--description "My secret for database access" \
--secret-string '{"username":"mydbuser", "password":"mydbpassword"}'

Replace "mydbuser" and "mydbpassword" with your database username and password.

Retrieve the secret value

To retrieve the secret value, you can use the get-secret-value command:

aws secretsmanager get-secret-value --secret-id MyDatabaseSecret

This command will return the JSON-encoded secret value, which you can parse to get the username and password.

How to use KMS

Let’s look at using AWS KMS to create, rotate, and view key details.

Create a KMS key

To create a KMS key, you can use the create-key command.

aws kms create-key --description "My KMS Key"

This command will create a new KMS key with the specified description.

Enable key rotation (optional)

You can enable automatic key rotation for enhanced security. Use the enable-key-rotation command:

aws kms enable-key-rotation --key-id <your-key-id>

Replace <your-key-id> with the key ID you received when creating the key.

List keys

You can list your KMS keys using the list-keys command:

aws kms list-keys

This command will provide a list of KMS keys associated with your account.

Get more details about a key

If you want more details about a specific key, use the describe-key command:

aws kms describe-key --key-id <your-key-id>

Terraform examples for AWS Secrets Manager vs KMS

In this example, we're using Terraform to create an AWS Secrets Manager secret named "MySecret" with a secret string containing a username and password.

provider "aws" {
  region = "us-east-1"  # Change this to your desired region
}

resource "aws_secretsmanager_secret" "my_secret" {
  name = "MySecret"
  description = "My secret for database access"
}

resource "aws_secretsmanager_secret_version" "my_secret_version" {
  secret_id     = aws_secretsmanager_secret.my_secret.id
  secret_string = jsonencode({
    username = "mydbuser",
    password = "mydbpassword"
  })
}

In this example, we're using Terraform to create an AWS KMS key named "My KMS Key."

provider "aws" {
  region = "us-east-1"  # Change this to your desired region
}

resource "aws_kms_key" "my_key" {
  description             = "My KMS Key"
  deletion_window_in_days = 7  # Change this value as needed
}

output "key_arn" {
  value = aws_kms_key.my_key.arn
}

Ten AWS Secrets Manager and KMS best practices

The ten best practices below can help organizations get the most out of AWS Secrets Manager and KMS.

Use Secrets Manager for sensitive data: Use Customer Managed Keys (CMKs) for sensitive data and applications that require more control over encryption keys, allowing you to have fine-grained access control and audit capabilities.
Leverage automatic rotation: AWS Secrets Manager offers automated secret rotation, simplifying the critical process of regularly updating sensitive credentials or keys, ensuring improved security, and reducing manual management efforts.
Enforce least privilege access: The principle of least privilege access means granting only the minimum necessary permissions to users, roles, or services, reducing the risk of unauthorized access and potential security breaches.
Use tagging and resource naming: Employing consistent tagging and resource naming conventions in your cloud environment improves organization and simplifies resource management and tracking, enhancing operational efficiency.
Monitor and audit: Regularly monitoring and auditing your systems and services helps detect and respond promptly to security issues and compliance violations, bolstering your overall security posture.
Enable key rotation: Enabling key rotation ensures that encryption keys and secrets are automatically updated regularly, reducing the risk of exposure due to compromised or outdated keys.
Centralize key management: Centralized key management streamlines the administration and protection of encryption keys, ensuring a consistent and secure approach across your organization's cloud resources.
Segregate duties: Integrating duties involves separating tasks and responsibilities among different individuals or teams to prevent conflicts of interest and enhance security controls within your organization.
Enforce key management and protection: Properly managing and protecting encryption keys is essential for safeguarding sensitive data, ensuring that keys are stored securely, and access is limited to authorized entities.
Monitor key usage: Continuous monitoring of key usage helps detect suspicious or unauthorized activities involving encryption keys, enabling quick response to potential security threats.

How to address the limitations of AWS Secrets Manager

Third-party tools Like Doppler can address many of the limitations inherent in AWS Secrets Manager and provide robust RBAC capabilities and integrations with other cloud providers and platforms like GitHub, extending seamless secret management workflows beyond AWS.

Doppler also addresses these key issues:

Unified management: A single dashboard removing the need to toggle between AWS accounts.
Streamlined secrets propagation: Allowing developers to share secrets across environments, reducing errors.
Enhanced local development: Dopplers CLI increases developer productivity.
Seamless Integration: Doppler’s native support for AWS makes adoption painless.

‍Summary of key concepts

Secrets Manager focuses on managing and rotating application secrets, while KMS provides a broader set of features for encryption key management. Together, they enhance security by controlling access to sensitive data and encryption keys within AWS environments. Combined with Doppler, they become part of a seamlessly integrated platform that can address use cases native AWS tools miss.