1
00:00:00,280 --> 00:00:01,160
‫Okay, so now let's

2
00:00:01,160 --> 00:00:03,010
‫talk about Secrets Manager.

3
00:00:03,010 --> 00:00:05,440
‫So this is a newer kind of service and it is meant

4
00:00:05,440 --> 00:00:08,220
‫for storing secrets, as the name indicates.

5
00:00:08,220 --> 00:00:10,230
‫So Secrets Manager is a great way to store secrets,

6
00:00:10,230 --> 00:00:12,580
‫but on top of it, you can force the rotation

7
00:00:12,580 --> 00:00:14,430
‫of these secrets, I mean, they have to change

8
00:00:14,430 --> 00:00:16,150
‫every X number of days.

9
00:00:16,150 --> 00:00:18,800
‫For example, you can say, "Okay, every 90 days,

10
00:00:18,800 --> 00:00:21,040
‫I want to change my passwords."

11
00:00:21,040 --> 00:00:23,440
‫And so, you can do this in Secrets Manager.

12
00:00:23,440 --> 00:00:25,400
‫You can automate the generation

13
00:00:25,400 --> 00:00:27,680
‫of these secrets using Lambda.

14
00:00:27,680 --> 00:00:31,040
‫And it has an integration with Amazon RDS.

15
00:00:31,040 --> 00:00:33,280
‫So using the Secrets Manager, we can create

16
00:00:33,280 --> 00:00:36,130
‫the passwords for Amazon RDS automatically.

17
00:00:36,130 --> 00:00:38,300
‫The secrets are going to be encrypted using KMS,

18
00:00:38,300 --> 00:00:40,250
‫that we just saw from before, automatically.

19
00:00:40,250 --> 00:00:42,250
‫And so from an exam perspective,

20
00:00:42,250 --> 00:00:46,300
‫anytime you see a secret to be managing in RDS

21
00:00:46,300 --> 00:00:49,930
‫and to be rotated, you have to think about Secrets Manager.

22
00:00:49,930 --> 00:00:50,920
‫It is a paid service,

23
00:00:50,920 --> 00:00:53,570
‫but I'll just show you how it works very briefly.

24
00:00:53,570 --> 00:00:55,780
‫So let's find the Secrets Manager UI.

25
00:00:55,780 --> 00:00:59,840
‫So I'll go into Secrets Manager and from there,

26
00:00:59,840 --> 00:01:02,350
‫I will be able to create and manage secrets.

27
00:01:02,350 --> 00:01:04,720
‫So as you can see, they can be rotated, they can be managed,

28
00:01:04,720 --> 00:01:07,250
‫and retrieved throughout their lifecycle.

29
00:01:07,250 --> 00:01:09,410
‫I'm going to store a new secret

30
00:01:09,410 --> 00:01:11,530
‫and if you see, before the pricing,

31
00:01:11,530 --> 00:01:13,970
‫it says it's 40 cents per secret per month

32
00:01:13,970 --> 00:01:15,340
‫and then you're going to pay for API call,

33
00:01:15,340 --> 00:01:17,860
‫but you get a 30-day free trial available.

34
00:01:17,860 --> 00:01:19,830
‫So we can store a new secret

35
00:01:19,830 --> 00:01:22,230
‫and the secret can be a credential for a database,

36
00:01:22,230 --> 00:01:25,220
‫for example, for RDS or for Redshift

37
00:01:25,220 --> 00:01:28,090
‫or for another database or for another type of secret.

38
00:01:28,090 --> 00:01:29,320
‫So this is where you can enter

39
00:01:29,320 --> 00:01:32,090
‫whatever you want as a secret.

40
00:01:32,090 --> 00:01:34,300
‫But, for example, as with for RDS database,

41
00:01:34,300 --> 00:01:37,060
‫you need to specify the user name and the password,

42
00:01:37,060 --> 00:01:39,390
‫as well as how the secret will be encrypted

43
00:01:39,390 --> 00:01:42,820
‫and which RDS database will be linked to that secret.

44
00:01:42,820 --> 00:01:43,870
‫So we can't do this right now

45
00:01:43,870 --> 00:01:45,750
‫because we don't have an RDS database,

46
00:01:45,750 --> 00:01:48,710
‫but if we wanted to store just a random kind of secret,

47
00:01:48,710 --> 00:01:51,920
‫we could say password and then here

48
00:01:51,920 --> 00:01:54,080
‫you could say MYSECRETPASSWORD.

49
00:01:55,695 --> 00:01:57,670
‫And this will be the value of our secret.

50
00:01:57,670 --> 00:01:58,670
‫And then you just choose, again,

51
00:01:58,670 --> 00:02:00,460
‫how you would encrypt that secret.

52
00:02:00,460 --> 00:02:01,710
‫Then you would click on next

53
00:02:01,710 --> 00:02:03,210
‫and then you would give the secret a name,

54
00:02:03,210 --> 00:02:08,210
‫for example, myproductionapplicationpassword,

55
00:02:08,280 --> 00:02:10,990
‫which is a terrible name and then you click on next

56
00:02:10,990 --> 00:02:13,590
‫and then when you're ready, you can configure the secret.

57
00:02:13,590 --> 00:02:16,440
‫So, do you want it to have automatic rotation or not?

58
00:02:16,440 --> 00:02:17,870
‫And yes, I want it.

59
00:02:17,870 --> 00:02:20,740
‫I want it to be rotating every 30 days, for example,

60
00:02:20,740 --> 00:02:22,410
‫and then choose the Lambda function

61
00:02:22,410 --> 00:02:24,010
‫that will be rotating the password for me.

62
00:02:24,010 --> 00:02:26,070
‫So you would need to create it in advance.

63
00:02:26,070 --> 00:02:28,210
‫When you're done, you can review everything

64
00:02:28,210 --> 00:02:30,915
‫and see that yes, we have created a secret,

65
00:02:30,915 --> 00:02:32,650
‫it will have some secret value,

66
00:02:32,650 --> 00:02:35,720
‫automatic rotation is enabled using a Lambda function

67
00:02:35,720 --> 00:02:37,570
‫and then you can see some sample code

68
00:02:37,570 --> 00:02:40,040
‫to retrieve the secrets in our applications.

69
00:02:40,040 --> 00:02:42,310
‫I won't go with creating a secret, but you get the idea

70
00:02:42,310 --> 00:02:45,000
‫and this is all you need to know about the Secrets Manager.

71
00:02:45,000 --> 00:02:45,833
‫So that's it.

72
00:02:45,833 --> 00:02:48,680
‫I will cancel this and I will see you in the next lecture.