AWS KMS vs Secrets Manager: Which One Should You Use?
AWS KMS is a managed service used to create and control cryptographic keys for encrypting data, while AWS Secrets Manager is designed to store, rotate, and manage sensitive credentials like API keys and passwords. Use KMS for data encryption and Secrets Manager for secret credential lifecycle management.
What exactly is AWS KMS and how does it work?
Think of AWS Key Management Service (KMS) as your digital vault for the keys that lock and unlock your data. In the context of the CLF-C02 exam, you need to understand that KMS manages Customer Master Keys (CMKs). These keys are used to encrypt data (plaintext) into ciphertext and vice versa. Whether you are encrypting an EBS volume or an S3 bucket, KMS is the engine under the hood providing the cryptographic strength.
From a practical standpoint, you aren't usually handling the raw key material yourself; AWS manages the hardware security modules (HSMs) for you. You simply tell AWS which key to use for which resource. For your studies, remember that KMS is primarily about the 'how' of encryption—managing the keys that perform the mathematical heavy lifting to keep your data secure.
When should you choose AWS Secrets Manager instead?
While KMS handles the keys, AWS Secrets Manager handles the 'secrets'—things like database passwords, API keys, and OAuth tokens. The biggest differentiator you'll see on the exam is 'rotation.' Secrets Manager can automatically rotate your passwords on a schedule, which is a critical security best practice that KMS simply doesn't do.
Imagine you have a fleet of EC2 instances that need to connect to an RDS database. You wouldn't hardcode the password in your application code (that's a huge security risk). Instead, your application calls Secrets Manager to retrieve the current password at runtime. This decoupling ensures that if a password is leaked, you can rotate it in one central place without redeploying your entire application stack.
What is envelope encryption and why does it matter?
This is a concept that trips up many students, but it's simple once you get it. Envelope encryption is the practice of encrypting your data with a Data Key, and then encrypting that Data Key with a Master Key (the 'envelope'). Why do this? Because sending massive files (like a 10GB database backup) to KMS for encryption would be slow and hit API limits.
Instead, you generate a data key locally, encrypt your big file, and then use KMS to encrypt only that small data key. You store the encrypted data key right next to the encrypted data. When you need the data back, you ask KMS to decrypt the data key, and then use that decrypted key to unlock your file. It's efficient, scalable, and a core architectural pattern in AWS.
How do IAM and Key Policies control access?
Security in AWS is about layers, and KMS is no different. To use a key, a user or service needs permission from two places: the IAM policy and the Key Policy. An IAM policy might say, 'This developer can use KMS,' but the Key Policy is the ultimate authority that says, 'This specific key can be used by this specific user for this specific action.'
If the Key Policy doesn't explicitly allow access, the IAM permission is useless. This 'dual-lock' system prevents a rogue administrator with broad IAM permissions from accidentally or maliciously decrypting sensitive data. When you're practicing for the CLF-C02, always look for the distinction between identity-based policies (IAM) and resource-based policies (Key Policies).
How do these two services work together in the real world?
It's not actually a competition; Secrets Manager actually uses KMS. When you store a secret in Secrets Manager, the service doesn't just save it in plain text. It uses a KMS key to encrypt that secret at rest. So, when your application requests a password from Secrets Manager, AWS is performing a behind-the-scenes call to KMS to decrypt the secret before handing it to you.
In a production environment, you'll use KMS for the broad encryption of your disks and buckets, while using Secrets Manager for the specific credentials your apps need to talk to other services. Understanding this relationship—that Secrets Manager is a high-level management tool and KMS is the low-level encryption engine—is the key to nailing the security questions on your exam.
How can you master these concepts for the CLF-C02 exam?
Reading the documentation is a start, but the AWS Cloud Practitioner exam tests your ability to distinguish between similar services in complex scenarios. You need to move beyond definitions and start applying the logic. This is where targeted practice becomes your greatest asset.
At Cert Sensei, we provide 1,000 expert-curated practice questions specifically for the CLF-C02. We don't just tell you if you're wrong; we provide detailed expert reasoning for every answer so you understand the 'why.' With our domain-level analytics, you can see exactly where you're struggling—whether it's the Security pillar or the Billing section—allowing you to stop wasting time on what you already know and focus on the gaps.
❓ Frequently Asked Questions
Can I use Secrets Manager without using AWS KMS?
No. Secrets Manager requires a KMS key to encrypt the secrets it stores. You can either use the default AWS-managed key or create your own customer-managed key for more granular control over access and auditing.
Which service is more cost-effective for simple encryption?
KMS is generally more cost-effective for basic encryption tasks. Secrets Manager carries a monthly fee per secret stored, making it more expensive than KMS, but you pay for the added value of automated rotation and secret lifecycle management.
Does Secrets Manager handle SSH keys?
Yes, Secrets Manager can store SSH keys as secrets. However, for managing the actual access to the instance, you would use AWS Systems Manager Session Manager, while Secrets Manager simply holds the key material securely.