April 18, 2022

Top 20 AWS Secrets Manager Interview Questions and Answers



    AWS Secrets Manager is nothing more than a safe deposit box where you may store all of your valuables that you don't want to expose publicly, such as critical papers and jewellery, and only you will have access to them. AWS secrete manager, in technical terms, manages API keys, secrete keys, client keys, tokens, and DB credentials, among other things.

 AWS RedShift Interview Questions and Answers

Ques. 1): What is AWS Secrets Manager, and how does it work?


AWS Secrets Manager is a secret management solution that aids in the security of your applications, services, and IT resources. This service makes it simple to rotate, manage, and retrieve database credentials, API keys, and other secrets at any time during their lifetime. You can safeguard and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises with Secrets Manager.

 AWS Cloud Practitioner Interview Questions and Answers

Ques. 2): What are the benefits of using AWS Secrets Manager?


Without the upfront investment and ongoing maintenance costs of running your own infrastructure, AWS Secrets Manager protects access to your apps, services, and IT resources.

Secrets Manager is a secure and scalable means of storing and managing secrets for IT managers. Secrets Manager allows security administrators to monitor and cycle secrets without affecting applications, allowing them to meet regulatory and compliance requirements. Secrets Manager can be retrieved programmatically by developers that want to replace hardcoded secrets in their apps.

  AWS EC2 Interview Questions and Answers

Ques .3): What is the significance of a Secrets manager?


There are two scenarios:

In server-side programmes, it's sometimes simple to manage environment-specific secret values. Because there are various servers on which you may easily construct environment-specific settings. However, if we don't retain such data in code, we risk losing them, and keeping those values in code or a repository that may be directly available to developers in the production environment is not encouraged.

A client-side application is another example. It's basically static code in a static file, and it's not secure if we store secret values.

In both circumstances, the secrets manager proves to be a lifesaver. AWS credential may manage and get secrete values from the secrete manager for server-side code. Client-side integration with STS token is required to provide temporary AWS credentials that are only valid for the secret manager service.

  AWS Lambda Interview Questions and Answers

Ques. 4): What am I able to accomplish with AWS Secrets Manager?


AWS Secrets Manager gives you centralised storage, retrieval, access control, rotation, auditing, and monitoring of secrets.

You can encrypt secrets at rest to limit the chances of sensitive data being viewed by unauthorised individuals. To retrieve secrets, simply replace plain text secrets in your applications with code that uses the Secrets Manager APIs to pull in those secrets programmatically. To govern which users and applications have access to these secrets, you utilise AWS Identity and Access Management (IAM) policies. You can rotate passwords for supported database types hosted on AWS on a schedule or on demand, with no danger of affecting applications. By changing sample Lambda functions, you can expand this feature to rotate other secrets, such as passwords for Oracle databases stored on Amazon EC2 or OAuth refresh tokens. Secrets Manager interacts with AWS CloudTrail, Amazon CloudWatch, and Amazon Simple Notification Service, allowing you to audit and monitor secrets (Amazon SNS).

  AWS Simple Storage Service (S3) Interview Questions and Answers

Ques. 5): What are the advantages of using Secret Manager?


Secrets should be rotated safely ( you can keep expiry and rotate values whenever needed )

Fine-grained policies can be used to control access ( you can create a policy that enables developers to retrieve secrete values )

Secrets should be kept secure and audited centrally ( it gives audit trail how many used from which account )

You can pay as you go ( No of secret value and no of API calls made for retrieval )

Secrets can be easily replicated throughout multiple regions ( cross regions access is allow )

  AWS Fargate Interview Questions and Answers

Ques. 6): In AWS Secrets Manager, what secrets can I manage?


Database credentials, on-premises resource credentials, SaaS application credentials, third-party API keys, and Secure Shell (SSH) keys are among the secrets you can manage. You may save a JSON document in Secrets Manager, which allows you to manage any text blurb that is 64 KB or smaller.

  AWS SageMaker Interview Questions and Answers

Ques. 7): With AWS Secrets Manager, what secrets can I rotate?


For Amazon Relational Database Service (RDS), Amazon DocumentDB, and Amazon Redshift, you can rotate credentials directly. By changing sample AWS Lambda methods accessible in the Secrets Manager documentation, you can extend Secrets Manager to rotate other secrets, such as Oracle database credentials housed on EC2 or OAuth refresh tokens.

  AWS Cloudwatch interview Questions and Answers

Ques. 8): How will these secrets be used in my application?


To begin, create an AWS Identity and Access Management (IAM) policy that allows your app to access specified secrets. Then, in the source code of the application, you may replace plain text secrets with code that allows you to get these secrets programmatically using the Secrets Manager APIs. Please visit the AWS Secrets Manager User Guide for further information and examples.

  AWS Amplify Interview Questions and Answers

Ques. 9): What is require to access secrets manager?


AWS credentials ( combination of access key and secret key )

AWS SDK ( server side SDK or client side SDK)

 AWS Cloud Interview Questions and Answers Part - 1

Ques. 10): What is the best way to get started with AWS Secrets Manager?


To get started with AWS Secrets Manager, follow these steps:

1.       Find out what your secrets are and where they're used in your apps.

2.       Using your AWS credentials, log in to the AWS Management Console and go to the Secrets Manager console.

3.       Upload the secret you discovered using the Secrets Manager console. You can also upload a secret using the AWS SDK or AWS CLI (once per secret). You can also use a script to upload a large number of secrets.

4.       Follow the instructions on the console to set up automatic rotation if your secret hasn't been used yet. Before establishing automatic rotation, do steps (5) and (6) if applications are using your secret.

5.       If other users or applications need to retrieve the secret, write an IAM policy to grant permissions to the secret.

6.     Update your applications to retrieve secrets from Secrets Manager.

 AWS Cloud Interview Questions and Answers Part - 2

Ques. 11): What is the difference between Secrets Manager and Parameter Store?


Secrets Manager: It allows you to name and store a single string or binary value of up to 64kbytes. KMS is used to encrypt the full string, with either a default or customer-specified KMS key. The string is usually a JSON object, which the AWS Console will parse and display as individual name-value pairs for you to inspect or change. You'll have to parse the secret yourself if you use the CLI or a programme to access it.

Parameter Store: Individual values are stored using a hierarchical key in Parameter Store (like many others, I omit the "Systems Manager" part of its name). You can obtain individual keys, such as /database/username and /database/password, or all keys that begin with /database. Simple strings, comma-separated lists (which you must parse), and encrypted strings are all possible values (which also support default and custom KMS keys). You can choose whether or not to decrypt encrypted values while retrieving data.

  AWS Cloud Support Engineer Interview Question and Answers

Ques. 12): How does AWS Secrets Manager handle database credential rotation while keeping apps running smoothly?


AWS Secrets Manager allows you to set a schedule for database credential rotation. This allows you to adhere to security best practises and securely rotate your database credentials. When Secrets Manager starts a rotation, it creates a clone user with the same privileges as you, but with a different password, using the super database credentials you gave. The clone user information is then communicated to databases and apps, which retrieve the database credentials. The AWS Secrets Manager Rotation Guide can help you learn more about rotation.

  AWS Solution Architect Interview Questions and Answers

Ques. 13): Is it true that changing database credentials has an influence on open connections?


No. When a connection is established, authentication takes place. The open database connection is not re-authenticated when AWS Secrets Manager rotates a database credential.

  AWS DevOps Cloud Interview Questions and Answers

Ques. 14): When AWS Secrets Manager rotates a database credential, how do I know?


When AWS Secrets Manager rotates a secret, you can set up Amazon CloudWatch Events to receive a signal. You can also use the Secrets Manager console or APIs to see when a secret was last rotated.

  AWS(Amazon Web Services) Interview Questions and Answers

Ques. 15): What methods does AWS Secrets Manager use to keep my secrets safe?


AWS Secrets Manager protects data in transit with encryption keys you own and manage in the AWS Key Management Service (KMS). AWS Identity and Access Management (IAM) policies can be used to restrict access to the secret. When you retrieve a secret, Secrets Manager decrypts it and sends it to your local environment securely over TLS. The secret is not written or cached to persistent storage by default in Secrets Manager.

  AWS Database Interview Questions and Answers

Ques. 16): In AWS Secrets Manager, who may use and manage secrets?


To regulate the access permissions of users and applications to retrieve or manage specific secrets, you can use AWS Identity and Access Management (IAM) policies. You can, for example, set up a policy that only allows developers to access secrets used in the development environment. Visit AWS Secrets Manager Authentication and Access Control for additional information.

  AWS ActiveMQ Interview Questions and Answers

Ques. 17): AWS Secrets Manager encrypts my secrets in what way?


AWS Secrets Manager encrypts your secrets in AWS Key Management Service using envelope encryption (AES-256 encryption technique) (KMS).

You can specify the AWS KMS keys to encrypt secrets when you initially use Secrets Manager. Secrets Manager produces AWS KMS default keys for your account if you don't give a KMS key. Secrets Manager asks a plaintext and an encrypted data key from KMS when a secret is stored. The plaintext data key is used by Secrets Manager to encrypt the secret in memory. The encrypted secret and encrypted data key are stored and maintained by AWS Secrets Manager. Secrets Manager decrypts the data key (using the AWS KMS default keys) and uses the plaintext data key to decrypt the secret when a secret is retrieved. The data key is encrypted and never written in plaintext to disc. Secrets Manager also doesn't save the plaintext secret to persistent storage or write it to it.


Ques. 18): How will AWS Secrets Manager be invoiced and billed to me?


There is no minimum price with Secrets Manager; you simply pay for what you use. To start utilising the service, there are no set-up fees or commitments. Your credit card will be automatically charged for the month's usage at the end of the month. Each month, you will be charged for the amount of secrets you store and API requests you make to the service.

Visit AWS Secrets Manager pricing for the most up-to-date pricing information.


Ques. 19): Is there a free trial available?


Yes, you can use the AWS Secrets Manager 30-day free sample to try Secrets Manager for free. Over the course of the 30-day free trial, you can rotate, manage, and retrieve secrets. When you save your first secret, the free trial begins.


Ques. 20): How do I use Lambda's Secrets Manager?


A library file for a secret manager is provided in the AWS docs. AWS Secrets Manager JavaScript (SDK V2) Code Examples I constructed a wrapper class SecreteManager based on this reference, and here is the code.

Make a SecretesManager.js file that connects to aws-sdk and allows you to access AWS resources.

'use strict'

const AWS = require('aws-sdk');

class SecretsManager {


      * Uses AWS Secrets Manager to retrieve a secret


     static async getSecret (secretName, region){

         const config = { region : region }

         var secret, decodedBinarySecret;

         let secretsManager = new AWS.SecretsManager(config);

         try {

             let secretValue = await secretsManager.getSecretValue({SecretId: secretName}).promise();

             if ('SecretString' in secretValue) {

                 return secret = secretValue.SecretString;

             } else {

                 let buff = new Buffer(secretValue.SecretBinary, 'base64');

                 return decodedBinarySecret = buff.toString('ascii');


         } catch (err) {

             if (err.code === 'DecryptionFailureException')

                 // Secrets Manager can't decrypt the protected secret text using the provided KMS key.

                 // Deal with the exception here, and/or rethrow at your discretion.

                 throw err;

             else if (err.code === 'InternalServiceErrorException')

                 // An error occurred on the server side.

                 // Deal with the exception here, and/or rethrow at your discretion.

                 throw err;

             else if (err.code === 'InvalidParameterException')

                 // You provided an invalid value for a parameter.

                 // Deal with the exception here, and/or rethrow at your discretion.

                 throw err;

             else if (err.code === 'InvalidRequestException')

                 // You provided a parameter value that is not valid for the current state of the resource.

                 // Deal with the exception here, and/or rethrow at your discretion.

                 throw err;

             else if (err.code === 'ResourceNotFoundException')

                 // We can't find the resource that you asked for.

                 // Deal with the exception here, and/or rethrow at your discretion.

                 throw err;




 module.exports = SecretsManager;

2. Create a file for index.js in your Lambda package to use SecretesManager.js class to retrieve a secret value.


 * index.js


const SecretsManager = require('./SecretsManager.js');

exports.handler = async (event) => {

     // TODO implement

     var secretName = '<SecreteName>';

     var region = '<Region>';

     var apiValue = await SecretsManager.getSecret(secretName, region);


     const response = {

         statusCode: 200,

         body: JSON.stringify('Hello from Lambda!'),


     return response;


3. Go to console.aws.amazon.com/secretsmanager to create a secret manager entry.

4. That's it. Make a zip file with this code and upload it to lambda.





No comments:

Post a Comment