As we've learned in our previous lessons, AWS Secrets Manager is a powerful service that helps protect access to your applications, services, and IT resources. It allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. In this lesson, we're going to explore the advanced features of AWS Secrets Manager with Python's AWS SDK, Boto3.

One way to ensure that passwords are strong and secure is to generate a random password using AWS Secrets Manager. Let's see how we can accomplish this:

In this piece of code, we first create a client with AWS Secrets Manager using the boto3.client('secretsmanager') call. Then, we called the get_random_password() function, which generates a random password. The function accepts numerous parameters for customization, such as PasswordLength, ExcludeCharacters, ExcludeNumbers, ExcludePunctuation, ExcludeUppercase, ExcludeLowercase, IncludeSpace, RequireEachIncludedType.

AWS Secrets Manager provides a function to list all the secrets that are stored in it. The list_secrets() function returns a list of all secret information:

Tagging secrets can help with categorizing and managing secrets. The tag_resource() function is used to add tags to a secret. To remove tags, the untag_resource() function is used.

When managing secrets with AWS Secrets Manager, each secret can have multiple versions, and every version can have staging labels associated with it. By default, AWS Secrets Manager maintains two primary staging labels for secrets: AWSCURRENT for the current live version of the secret and AWSPREVIOUS for the directly preceding version. The list_secret_version_ids function, by default, lists versions that have staging labels, typically returning the two latest versions unless additional custom staging labels are manually assigned to other versions.

Let's see how to work with secret versions and stages:

This script demonstrates how to list versions that have staging labels and retrieve the value for a specific staging label. It's important to manage these versions and stages effectively to maintain the integrity of secret values across different environments and deployments.

Managing the lifecycle of secrets often involves deleting them when they're no longer needed. However, AWS Secrets Manager provides a safeguard against accidental deletion through its recovery features:

In the deletion process, two key parameters are involved:

• ForceDeleteWithoutRecovery: When set to False, it enables the secret to be recoverable. The default value is False, meaning that, by default, secrets are recoverable, protecting against their permanent loss due to accidental deletion.
• RecoveryWindowInDays: Specifies the duration (in days) within which a deleted secret can be restored. The default recovery window is 30 days if this parameter is not specified, providing a generous period for recovery after deletion. In the example above, it's explicitly set to 7 days for demonstration purposes.

The ability to recover secrets provides a safety net, ensuring that critical secrets can be restored if they were deleted prematurely or in error. After a secret is deleted, but within the recovery window, the secret can be restored using the restore_secret() method, as demonstrated. If not restored within the recovery window, the secret will be permanently deleted and cannot be recovered.

In this lesson, we've delved deeper into AWS Secrets Manager, exploring advanced concepts such as password generation, secret versioning, secret restoration, and secret tagging. Understanding these features allows you to utilize Secrets Manager to its full potential, securing your applications more effectively.

Now that we've covered these advanced concepts, it's time to apply what we've learned! The following exercises will give you practical experience with these features. Let's get started!