1 00:00:00,360 --> 00:00:02,250 ‫So now let's talk about a very simple service 2 00:00:02,250 --> 00:00:04,710 ‫called the AWS Secrets Manager. 3 00:00:04,710 --> 00:00:07,890 ‫So it's a newer service and it's meant for storing secrets 4 00:00:07,890 --> 00:00:11,190 ‫and it's going to be different from the SSM parameter store, 5 00:00:11,190 --> 00:00:15,120 ‫because on Secrets Manager, you have the capability to force 6 00:00:15,120 --> 00:00:18,060 ‫the rotation of secrets every X number of days, 7 00:00:18,060 --> 00:00:21,330 ‫and therefore you have a better secret management schedule. 8 00:00:21,330 --> 00:00:23,610 ‫On top of it, from within Secrets Manager, 9 00:00:23,610 --> 00:00:26,310 ‫you can force and automate the generation 10 00:00:26,310 --> 00:00:28,170 ‫of secrets on the rotation. 11 00:00:28,170 --> 00:00:30,390 ‫And for this, you have to define a Lambda function 12 00:00:30,390 --> 00:00:32,670 ‫that will generate that new secrets. 13 00:00:32,670 --> 00:00:36,060 ‫Moreover, Secrets Manager is really well integrated 14 00:00:36,060 --> 00:00:38,100 ‫with different services on AWS. 15 00:00:38,100 --> 00:00:40,080 ‫And I just showed you Amazon RDS 16 00:00:40,080 --> 00:00:43,620 ‫for example, for MySQL, PostgreSQL, SQL or Aurora. 17 00:00:43,620 --> 00:00:46,020 ‫But there are other services as well with AWS, 18 00:00:46,020 --> 00:00:47,850 ‫other databases, that are integrated 19 00:00:47,850 --> 00:00:49,680 ‫with Secrets Manager out of the box. 20 00:00:49,680 --> 00:00:52,230 ‫That means that the username and the password to get into 21 00:00:52,230 --> 00:00:55,410 ‫your database is stored directly in Secrets Manager 22 00:00:55,410 --> 00:00:57,750 ‫and it can be rotated and so on. 23 00:00:57,750 --> 00:01:01,260 ‫Now, Secrets can be encrypted using the KMS service. 24 00:01:01,260 --> 00:01:04,110 ‫And so anytime in the exam you see Secrets, 25 00:01:04,110 --> 00:01:06,090 ‫or integration for RDS, 26 00:01:06,090 --> 00:01:10,200 ‫or for Aurora of Secrets, really think Secrets Manager. 27 00:01:10,200 --> 00:01:11,730 ‫There's one more feature we need to know about 28 00:01:11,730 --> 00:01:14,820 ‫which is the concept of multi-region Secrets. 29 00:01:14,820 --> 00:01:17,340 ‫So the idea is that you can replicate your Secrets 30 00:01:17,340 --> 00:01:19,830 ‫across multiple AWS regions 31 00:01:19,830 --> 00:01:22,500 ‫and Secrets Manager Service will keep readers 32 00:01:22,500 --> 00:01:24,840 ‫in sync with the primary Secrets. 33 00:01:24,840 --> 00:01:26,250 ‫So here have two regions. 34 00:01:26,250 --> 00:01:28,440 ‫We create a Secret in the primary one 35 00:01:28,440 --> 00:01:30,900 ‫and it gets replicated as a same Secret 36 00:01:30,900 --> 00:01:33,090 ‫into a secondary region. 37 00:01:33,090 --> 00:01:34,260 ‫Now, why would we do this? 38 00:01:34,260 --> 00:01:35,790 ‫Well, multiple things. 39 00:01:35,790 --> 00:01:40,020 ‫Number one, in case there is a problem with US East 1, 40 00:01:40,020 --> 00:01:42,930 ‫you're able, for example, to promote a replica Secret 41 00:01:42,930 --> 00:01:45,060 ‫as a standalone secret. 42 00:01:45,060 --> 00:01:48,030 ‫And then thanks to the fact that that Secret is replicated 43 00:01:48,030 --> 00:01:51,600 ‫across regions, then you can build multiple regions apps. 44 00:01:51,600 --> 00:01:54,090 ‫You can also have disaster recovery strategies, 45 00:01:54,090 --> 00:01:57,240 ‫or if you have an RDS database that is also being replicated 46 00:01:57,240 --> 00:01:58,770 ‫from one region to the next, 47 00:01:58,770 --> 00:02:01,200 ‫then you can use the same Secret to access, 48 00:02:01,200 --> 00:02:04,050 ‫the same, the RDS database, the corresponding one, 49 00:02:04,050 --> 00:02:05,880 ‫in the corresponding region. 50 00:02:05,880 --> 00:02:07,260 ‫So that's it for this lecture. 51 00:02:07,260 --> 00:02:10,260 ‫I hope you liked it, and I will see you in the next lecture.