Secrets Management on AWS: Vault vs Secrets Manager vs Parameter Store — And How QuickInfra Uses Them

Secrets — database passwords, API keys, TLS certificates, OAuth tokens — are the keys to your kingdom. The most common way teams manage them badly is also the simplest: they put them in environment variables on the server, in .env files committed to git, or hardcoded in application code. QuickInfra's approach to secrets treats them as infrastructure resources, not configuration.

The Three AWS Options

AWS Secrets Manager stores structured secrets (username/password pairs, API keys) with automatic rotation support. Secrets can be referenced by ARN and fetched at runtime. Rotation uses Lambda functions to update both the secret value and the resource it authenticates to (e.g., rotating an RDS password also updates the database and the secret simultaneously). Cost: $0.40 per secret per month.

AWS Systems Manager Parameter Store stores configuration values and secrets. SecureString parameters are encrypted with KMS. Standard tier is free. Does not support automatic rotation. Better for configuration values that change infrequently.

HashiCorp Vault is a dedicated secrets management platform with more advanced features — dynamic secrets (Vault generates a time-limited credential on demand, rather than storing a long-lived one), fine-grained access policies, and multi-cloud support. Higher operational cost than AWS-native options.

QuickInfra's Approach

For infrastructure secrets (database connection strings, API keys used by deployed applications), QuickInfra stores them in AWS Secrets Manager. When you define an environment variable in a pipeline project or a deployment project, sensitive values are stored as Secrets Manager entries rather than in QuickInfra's own storage. The application fetches them at runtime using the instance profile or task role.

Rotation

QuickInfra includes a Custom Script template for RDS password rotation. The script generates a new password, updates the RDS instance, updates the Secrets Manager secret, and restarts the application to pick up the new value. This can be scheduled on any cadence.

Detecting Hardcoded Credentials

QuickInfra's security scanning checks for known credential patterns in Custom Script definitions and environment variable values (e.g., AWS access key patterns starting with AKIA). Findings of this type are flagged as CRITICAL — hardcoded credentials are one of the most severe security issues in any cloud environment.