What is the difference between KMS and Secrets Manager?
AWS · Advanced level
Answer
KMS manages encryption keys; Secrets Manager stores and rotates secrets. Secrets Manager often uses KMS underneath, but it is the secret lifecycle and retrieval service, while KMS is the key control plane.
Technical explanation
A workload may need both secretsmanager:GetSecretValue and kms:Decrypt to read a secret encrypted by a customer-managed key.
Key and secret controls must combine IAM policy, resource policy, KMS key policy, rotation, audit logging, and application refresh behavior.
Do not confuse encryption with authorization: encrypted data is still exposed if decrypt and read permissions are too broad.
Secret rotation must include monitoring and rollback because a failed rotation can become a production outage.
Hands-on example
1. Create a test KMS key, secret or parameter, IAM role, and workload that retrieves the value at runtime.
2. Scope permissions to the specific secret/parameter and KMS key, then test allowed and denied reads.
3. If rotation is relevant, run a manual rotation and confirm the application refreshes safely.
4. Add CloudTrail/CloudWatch alarms for failed rotation, denied decrypts, and suspicious access.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More AWS interview questions
- What is the AWS shared responsibility model, and where is the line between AWS and the customer?
- Explain the difference between a Region, an Availability Zone, and an Edge Location.
- What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
- Difference between a public and a private subnet, and how does each reach the internet?
- What is the difference between a Security Group and a Network ACL?
- Are Security Groups stateful or stateless? What about NACLs?
- What is an Internet Gateway versus a NAT Gateway, and when do you need each?
- How does a NAT Gateway differ from a NAT instance?