A key difference is in kms you never know the actual secret (kms stores this on your behalf) . This is for use cases where you need the secret in application code, like db creds.

Looks like a cool product I noticed they dont include a revoke workflow though, the trickiest bit of key rotation

KMS is a shared HSM, managed encryption product.

AWS Secrets Manager is for storing credentials to products (e.g. DBs) and have processes for automatically rotating them on a regular basis.

KMS is the service which performs encryption where this stores the secrets using a specified key (provided or from KMS).

KMS provides an alternative to an HSM in the cloud where this service is alternative to running a Vault cluster with a backing Consul cluster.

Well, you can use KMS to do something similar, but without the auto-rotation.

1. Use a KMS key to encrypt a secrets file (obviously, never check this into source control)

2. Store the encrypted secrets file in an S3 bucket

3. Tie a new IAM role with kms:Decrypt and s3:GetObject policies for the relevant resources to your EC2 instance

4. On app start, get the KMS key and secrets file, decrypt, and set environment variables

In practice, rotating using this scheme just means creating a new KMS key, re-encrypting the file and pushing the updated copy to S3, and updating the IAM role's kms:Decrypt policy. It's not too bad unless you have a million services.

This seems like the easiest solution, and we've been pretty successful. We have sub-folders based on your environment and only machines have roles that can read production. We also realized you don't even have to encrypt and decrypt.. just turn on encryption for the S3 bucket, I believe it's the same thing.

It's not exactly the same thing. Encryption at rest on S3 is good, but security is about layers. If you only use that, then you are one mis-configured S3 bucket policy away from exposing your secrets. Bad bucket policies are one of AWS' biggest footguns- plenty of intelligent people have done it before, don't assume it's a mistake you'll never make. It's so easy because S3 is a service that has to make publicly-accessible storage easy to achieve.

KMS keys on the other hand, do not have that use case. If the secrets in your S3 bucket have been encrypted using a KMS key (or better yet, a data key derived from a KMS key) and your bucket is compromised, your secrets are safe as long as the attacker cannot ALSO get access to the KMS key. By all means, enable encryption at rest on S3, but don't make that your only defense.

I believe KMS is primarily for storing encryption keys (to replace an HSM). AWS Secrets Manager looks like it's much easier to integrate into credential best practices, like periodic rotation.