AWS re:Invent 2025 - Modern Secrets: A Journey from Legacy Systems to AI-Ready Security (SEC213)

AWS re:Invent 2025 - Modern Secrets: A Journey from Legacy Systems to AI-Ready Security (SEC213)

Secrets Management Overview

• AWS Secrets Manager is a purpose-built service for managing secrets across AWS services
• Key features:
  • Secure storage with envelope encryption using AWS KMS
  • Automated rotation using Lambda functions
  • Cross-region replication for business continuity
  • High-scale retrieval (10,000 TPS) and caching via Secrets Manager Agent
• Integrates with AWS services like CloudTrail and CloudWatch for auditing and monitoring

Centralized vs. Decentralized Secrets Management

• Centralized approach:
  • Consistent policies for secret creation, naming, and access control
  • Increased overhead for setup and maintenance
  • Better visibility and control, but potential single point of failure
• Decentralized approach:
  • Simpler for developers to manage their own secrets
  • Less consistency across accounts and applications
  • Reduced visibility for security and compliance teams

Secrets Lifecycle Management

• Centralized rotation:
  • Single team manages rotation schedules and Lambda functions
  • Ensures consistent compliance, but complex permissions setup
• Decentralized rotation:
  • Application teams manage their own rotation logic
  • Easier to implement, but less visibility for security teams

Secrets Storage and Retrieval

• Centralized storage:
  • Full control and visibility, but increased risk if account is compromised
  • May limit use of some Secrets Manager features like managed rotation
• Decentralized storage:
  • Secrets closer to the workloads, easier access control
  • Less visibility and logging in a centralized location

Hybrid Approach

• Combine centralized and decentralized models:
  • Centralized secret creation and rotation management
  • Decentralized secret storage closer to the workloads
  • Balances consistency, security, and developer agility

Resilience and Business Continuity

• Secrets Manager supports cross-region replication of secrets
• Enables access to secrets in a failover region if primary region is unavailable

Aquia's Secrets Management Journey

• Aquia is a leading provider of digital experience platforms on AWS
• Faced challenges with secrets sprawl, security, automation, and compliance at scale
• Leveraged AWS Secrets Manager to:
  • Centralize secret creation and management
  • Decouple secret storage from applications
  • Automate secret rotation and injection
  • Maintain strict security and compliance controls

Technical Details and Metrics

• Aquia manages over 300,000 unique secret paths across hundreds of AWS accounts
• Generates 40-100,000 Kubernetes external secret references per cluster
• Experiences high pod churn rate, resulting in hundreds of thousands of Secrets Manager API calls per hour
• Utilized Secrets Manager's integrations with Kubernetes (CSI driver, external secrets operator) to simplify secret delivery

Business Impact

• Streamlined infrastructure and reduced operational overhead
• Enabled secure and resilient platform for Aquia's customers
• Allowed Aquia to focus on delivering innovative solutions rather than managing secrets

Key Takeaways

• AWS Secrets Manager is a critical component for managing secrets at scale in the cloud
• Centralized vs. decentralized approach depends on the organization's specific requirements and trade-offs
• Hybrid models combining centralized and decentralized aspects are common
• Integrations with Kubernetes and third-party services are crucial for seamless secrets management
• Close collaboration with AWS Secrets Manager team can unlock new possibilities for customers