1
00:00:00,500 --> 00:00:01,970
‫So, let's talk about the differences

2
00:00:01,970 --> 00:00:05,290
‫between the SSM Parameter Store and Secrets Manager.

3
00:00:05,290 --> 00:00:07,610
‫So, secrets manager is more expensive

4
00:00:07,610 --> 00:00:09,840
‫and you're going to have the automation

5
00:00:09,840 --> 00:00:13,050
‫of the rotation of the secrets using Lambda functions.

6
00:00:13,050 --> 00:00:14,300
‫Some of these Lambda functions

7
00:00:14,300 --> 00:00:15,940
‫are going to be provided out of the box,

8
00:00:15,940 --> 00:00:19,050
‫for example, for RDS, for Redshift or DocumentDB

9
00:00:19,050 --> 00:00:22,180
‫that have strong integrations with Secrets Manager.

10
00:00:22,180 --> 00:00:24,040
‫So, it saves you a little bit of time.

11
00:00:24,040 --> 00:00:27,110
‫KMS encryption is going to be mandatory for your secrets

12
00:00:27,110 --> 00:00:29,500
‫and you can integrate them with CloudFormation.

13
00:00:29,500 --> 00:00:31,360
‫The Parameter Store has a more,

14
00:00:31,360 --> 00:00:33,700
‫has a wider type of use case and is less expensive.

15
00:00:33,700 --> 00:00:35,530
‫It has a simple API.

16
00:00:35,530 --> 00:00:36,920
‫There is no secrets rotation,

17
00:00:36,920 --> 00:00:38,630
‫although, I will show you in the next slide,

18
00:00:38,630 --> 00:00:41,240
‫how you can enable rotation on your own

19
00:00:41,240 --> 00:00:43,430
‫using a Lambda function triggered by CloudWatch events,

20
00:00:43,430 --> 00:00:45,310
‫but this is not a nature feature.

21
00:00:45,310 --> 00:00:47,060
‫KMS encryption is going to be optional

22
00:00:47,060 --> 00:00:48,260
‫because you can store secrets

23
00:00:48,260 --> 00:00:50,457
‫or just parameters in the Parameter Store.

24
00:00:50,457 --> 00:00:52,850
‫And it also has integration CloudFormation,

25
00:00:52,850 --> 00:00:56,200
‫and it is possible for you to pull a Secrets Manager

26
00:00:56,200 --> 00:00:58,470
‫from a secret, from secrets manager

27
00:00:58,470 --> 00:01:00,257
‫using the SSM Parameter Store API,

28
00:01:00,257 --> 00:01:01,560
‫the CW events,

29
00:01:01,560 --> 00:01:03,790
‫But so, if you have a look at rotation of secrets

30
00:01:03,790 --> 00:01:06,520
‫between the Parameter Store and Secrets Manager,

31
00:01:06,520 --> 00:01:08,180
‫well, first for Secrets Manager,

32
00:01:08,180 --> 00:01:10,320
‫say, we want to rotate the password

33
00:01:10,320 --> 00:01:12,350
‫of an Amazon RDS database.

34
00:01:12,350 --> 00:01:14,620
‫Therefore, we are going to set up Secrets Manager

35
00:01:14,620 --> 00:01:18,280
‫to automatically invoke every 30 days in Lambda function.

36
00:01:18,280 --> 00:01:19,310
‫Now, there's another function,

37
00:01:19,310 --> 00:01:22,370
‫for example, for RDS, is provided by AWS

38
00:01:22,370 --> 00:01:24,540
‫and is deployed in your accounts by AWS,

39
00:01:24,540 --> 00:01:27,910
‫you just need to use it using Secrets Manager.

40
00:01:27,910 --> 00:01:30,200
‫What it will do is that it will change the password

41
00:01:30,200 --> 00:01:32,040
‫of your Amazon RDS database.

42
00:01:32,040 --> 00:01:34,180
‫So, this is a nature functionality.

43
00:01:34,180 --> 00:01:36,520
‫And in case it is just a random secrets

44
00:01:36,520 --> 00:01:39,280
‫that is not deeply integrated with Secrets Manager,

45
00:01:39,280 --> 00:01:41,940
‫then you need to write your own Lambda function for it.

46
00:01:41,940 --> 00:01:45,440
‫But again, the documentation is provided by AWS.

47
00:01:45,440 --> 00:01:46,840
‫Now, for the SSM Parameter Store,

48
00:01:46,840 --> 00:01:49,010
‫there is no natured feature to the rotation,

49
00:01:49,010 --> 00:01:52,060
‫but let's say, you were storing an RDS database password

50
00:01:52,060 --> 00:01:54,020
‫into the SSM Parameter Store,

51
00:01:54,020 --> 00:01:57,100
‫then what I would do is to create a CloudWatch events rule

52
00:01:57,100 --> 00:01:59,340
‫that would be invoked every 30 days,

53
00:01:59,340 --> 00:02:01,020
‫and that will invoke a Lambda function

54
00:02:01,020 --> 00:02:02,840
‫that you would have to write on your own

55
00:02:02,840 --> 00:02:05,973
‫to change the password of your Amazon RDS database,

56
00:02:05,973 --> 00:02:08,890
‫and also to change the value in it,

57
00:02:10,010 --> 00:02:12,960
‫that is stored in your SSM Parameter Store.

58
00:02:12,960 --> 00:02:13,990
‫So, hopefully that makes sense

59
00:02:13,990 --> 00:02:14,980
‫into what are the differences

60
00:02:14,980 --> 00:02:17,930
‫between the Secrets Manager and the SSM Parameter Store.

61
00:02:17,930 --> 00:02:18,930
‫I hope you liked this lecture

62
00:02:18,930 --> 00:02:20,880
‫and I will see you in the next lecture.