Secrets Management

Architecture

Protect sensitive application data with dedicated encryption keys:

• Secrets Manager for rotating credentials
• SSM Parameter Store for configuration secrets
• Lambda environment variables for function secrets
• ECS/EKS secrets for container workloads

When to Use

This pattern is ideal when you need:

• Separate encryption keys per application or team
• Integration with secrets management services
• Controlled access to decrypt operations
• Audit logging of secret access patterns

Implementation

Dedicated Key Per Application

module "app_secrets_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/myapp-secrets"
  description = "Encryption key for MyApp secrets"
}

Access Control

Applications need both Secrets Manager and KMS permissions:

data "aws_iam_policy_document" "app_secrets" {
  statement {
    effect = "Allow"
    actions = [
      "secretsmanager:GetSecretValue"
    ]
    resources = ["arn:aws:secretsmanager:*:*:secret:myapp/*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "kms:Decrypt"
    ]
    resources = [module.app_secrets_key.key_arn]
  }
}

Considerations

• Each KMS API call incurs a small cost
• Use S3 bucket keys to reduce costs for high-volume encryption
• Consider key aliases for environment-specific naming
• Implement key policies that restrict administrative access