Centralized vs Decentralized Secrets Management on AWS
🔐 This post compares centralized and decentralized approaches to secrets management across four lifecycle domains: creation, storage, rotation, and monitoring. It explains how platform engineering and golden paths can centralize creation to enforce naming, tagging, and least-privilege checks while acknowledging the resource cost and maintenance burden. The article contrasts centralized storage (simplified monitoring but higher cross-account complexity and KMS costs) with storing secrets in workload accounts (better isolation, delegated ownership). Finally, it recommends centralizing auditing and observability while allowing hybrid architectures that balance control, speed, and operational scale.
