How AWS Secret Manager and KMS Work together Explain with RDS Creation Use Case
2 min readDec 21, 2024
The Term — Encryption key & Secret
- Key or Encryption Key
is something you used to do the encryption - Secret
can be API key, Database user/pass
What make you confused — The word ‘Key’ and ‘Secret’
The term ‘Key’ is commonly used.
You must remember Key here as Encryption Key
In Secret Manager, you input secret as Key/Value pair— This term ‘key’ is not the same here.
Encryption key is a secret too but we put it in KMS not Secret Manager to automated the encryption.
Secret is Always Encrypted
There will be the ‘Key’ or ‘Encryption Key’ to encrypted it.
For simplicity you can pick the default AWS one.
You cannot have secret without encryption key
Example Usage in Create the RDS MySQL Database
We will try to create RDS MySQL with ‘encryption’.
There is 2 section involved with different purposes.
Section 1 — DB User/Pass Encryption then stored in Secret Manager
You will see how ‘Secret’ and ‘Encryption key’ work together in AWS service provisioning.
- KMS encrypt the database user/pass with
aws/secretmanagerkey - The encrypted user/pass is stored in Secret Manager
Section 2 — Database Encryption
This has nothing to do with section 1.
Here you try to encrypt the whole database information with aws/rds key