<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Aws-Secrets-Manager on Tarragon</title><link>https://tarrragon.github.io/blog/tags/aws-secrets-manager/</link><description>Recent content in Aws-Secrets-Manager on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Tue, 19 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/aws-secrets-manager/index.xml" rel="self" type="application/rss+xml"/><item><title>AWS Secrets Manager</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/</guid><description>&lt;p>AWS Secrets Manager 是 AWS 原生的 &lt;em>static secret 集中保管 service&lt;/em>、核心能力是把 secret 用 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &amp;#43; Grant 雙軌授權">KMS&lt;/a> 加密儲存、加上 &lt;em>built-in rotation Lambda&lt;/em>（針對 RDS / Redshift / DocumentDB）跟 &lt;em>Resource Policy + IAM Policy 雙層 grant&lt;/em>、把 secret lifecycle 鎖在 AWS account / IAM 邊界內。設計取捨跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault&lt;/a> 不同 — Secrets Manager 不做 dynamic credential、不做 transit encryption、不做內部 PKI、只把 &lt;em>static secret + AWS native DB rotation&lt;/em> 這條路徑做到極致。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Secrets Manager 的定位是 &lt;em>AWS-only workload 的 static secret 控制面&lt;/em>、跟 &lt;a href="https://docs.aws.amazon.com/systems-manager/">SSM Parameter Store&lt;/a> SecureString 在 &lt;em>存 secret&lt;/em> 這層功能重疊、但設計目的不同。Parameter Store 是 &lt;em>parameter 管理&lt;/em>（free tier、advanced parameter 每 10000 個約 $0.05、KMS 加密但無 staging label 與 rotation Lambda）；Secrets Manager 是 &lt;em>secret 管理&lt;/em>（每個 secret per month $0.40 + API call、有 staging label / rotation Lambda / Resource Policy / Cross-Region Replica）。價差 8 倍以上、選擇基準在 &lt;em>是否需要 rotation 跟 cross-account sharing&lt;/em>。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault&lt;/a> 比、Secrets Manager 是 &lt;em>單一雲、簡單、低運維&lt;/em>、Vault 是 &lt;em>跨雲、dynamic credential、高表達力&lt;/em>。AWS-only 組織用 Vault 等於多扛一個 HA cluster 運維成本只為了拿 KV engine 跟 RDS rotation、ROI 不划算；反向跨雲組織用 Secrets Manager 等於每個雲都自己一套 secret store、治理鏈會斷。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &amp;#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager&lt;/a> / &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/azure-key-vault/" data-link-title="Azure Key Vault" data-link-desc="Azure 三合一 service（Secret &amp;#43; Key &amp;#43; Certificate）、整合 Managed Identity &amp;#43; Entra ID RBAC、Premium tier 走 HSM">Azure Key Vault&lt;/a> 比、設計理念類似（雲廠 managed、KMS 加密、IAM 授權）但 rotation 機制各家不同 — Secrets Manager 用 built-in Lambda 四階段 flow、GSM 用 Pub/Sub event 觸發自寫 Cloud Function、Azure 用 Key Vault rotation policy + Event Grid。&lt;/p></description><content:encoded><![CDATA[<p>AWS Secrets Manager 是 AWS 原生的 <em>static secret 集中保管 service</em>、核心能力是把 secret 用 <a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">KMS</a> 加密儲存、加上 <em>built-in rotation Lambda</em>（針對 RDS / Redshift / DocumentDB）跟 <em>Resource Policy + IAM Policy 雙層 grant</em>、把 secret lifecycle 鎖在 AWS account / IAM 邊界內。設計取捨跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> 不同 — Secrets Manager 不做 dynamic credential、不做 transit encryption、不做內部 PKI、只把 <em>static secret + AWS native DB rotation</em> 這條路徑做到極致。</p>
<h2 id="服務定位">服務定位</h2>
<p>Secrets Manager 的定位是 <em>AWS-only workload 的 static secret 控制面</em>、跟 <a href="https://docs.aws.amazon.com/systems-manager/">SSM Parameter Store</a> SecureString 在 <em>存 secret</em> 這層功能重疊、但設計目的不同。Parameter Store 是 <em>parameter 管理</em>（free tier、advanced parameter 每 10000 個約 $0.05、KMS 加密但無 staging label 與 rotation Lambda）；Secrets Manager 是 <em>secret 管理</em>（每個 secret per month $0.40 + API call、有 staging label / rotation Lambda / Resource Policy / Cross-Region Replica）。價差 8 倍以上、選擇基準在 <em>是否需要 rotation 跟 cross-account sharing</em>。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> 比、Secrets Manager 是 <em>單一雲、簡單、低運維</em>、Vault 是 <em>跨雲、dynamic credential、高表達力</em>。AWS-only 組織用 Vault 等於多扛一個 HA cluster 運維成本只為了拿 KV engine 跟 RDS rotation、ROI 不划算；反向跨雲組織用 Secrets Manager 等於每個雲都自己一套 secret store、治理鏈會斷。跟 <a href="/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager</a> / <a href="/blog/backend/07-security-data-protection/vendors/azure-key-vault/" data-link-title="Azure Key Vault" data-link-desc="Azure 三合一 service（Secret &#43; Key &#43; Certificate）、整合 Managed Identity &#43; Entra ID RBAC、Premium tier 走 HSM">Azure Key Vault</a> 比、設計理念類似（雲廠 managed、KMS 加密、IAM 授權）但 rotation 機制各家不同 — Secrets Manager 用 built-in Lambda 四階段 flow、GSM 用 Pub/Sub event 觸發自寫 Cloud Function、Azure 用 Key Vault rotation policy + Event Grid。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>哪些 secret 用 Secrets Manager、哪些可以下放到 Parameter Store、哪些該走 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a> 的 dynamic credential</li>
<li>Secrets Manager 的 <em>雙層 grant 模型</em>（Resource Policy + IAM Policy）跟 KMS encryption key custody 怎麼配</li>
<li>Built-in rotation 跟 Custom Rotation Lambda 的設計邊界、staging label 在 zero-downtime rotation 內的角色</li>
<li>何時 Secrets Manager 已經不夠用、要往 Vault / 跨雲 broker 走</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷一個 Secrets Manager 部署是否健康、最少看四件事：</p>
<ul>
<li><strong>誰能 GetSecretValue</strong>：IAM Policy 那邊是不是用 <code>secretsmanager:GetSecretValue</code> 限定到 <em>特定 secret ARN</em>（不是 <code>*</code>）、Resource Policy 是不是只允許特定 principal（不是 <code>Principal: *</code>）、跨帳號 share 有沒有用 ABAC tag 限縮</li>
<li><strong>KMS key custody</strong>：secret 用 <em>AWS-managed key</em>（<code>aws/secretsmanager</code>）還是 <em>customer-managed key</em>（CMK）— production 應該全部 CMK、key policy 限定 only Secrets Manager service principal 可用、KMS key 持有者跟 secret 持有者要分離</li>
<li><strong>Rotation 設定</strong>：rotation 開了沒、rotation interval 多久、Lambda 過去執行 success rate、staging label 在 rotation 過程中是否依序 promote（AWSPENDING → AWSCURRENT → AWSPREVIOUS）</li>
<li><strong>CloudTrail data event</strong>：<code>GetSecretValue</code> 是 <em>Data event</em>、預設不記、要手動開 data event logging — 沒開等於事故時看不到 <em>誰拿了 secret</em>、只看得到 management API（CreateSecret / UpdateSecret）</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/knowledge-cards/secret-management/" data-link-title="Secret Management" data-link-desc="說明 token、key、password 與憑證如何保存、輪替與撤銷">Secret Management</a> 跟 <a href="/blog/backend/knowledge-cards/audit-log/" data-link-title="Audit Log" data-link-desc="說明高風險操作如何留下可追溯、可稽核的紀錄">Audit Log</a> 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>Resource Policy + IAM Policy 雙層 grant</strong>：Secrets Manager 跟 S3 bucket policy 同模型 — IAM Policy 控制 <em>principal 端能做什麼</em>、Resource Policy 控制 <em>secret 端允許誰來</em>、兩者要 <em>都同意</em> 才放行。常見錯配：Resource Policy 寫 <code>Principal: &quot;*&quot;</code> 加 <code>aws:SourceAccount</code> condition 想做跨帳號 share、但 condition 漏寫或寫錯就變成公開可讀。跨帳號 share 一定要明確列 <code>Principal: arn:aws:iam::123456789012:role/AppRole</code>、不要靠 wildcard + condition 拼隔離。</p>
<p><strong>IAM Policy 細粒度授權</strong>：<code>secretsmanager:GetSecretValue</code> 該限定到 <em>specific secret ARN</em>（不是 <code>*</code>）、配合 ABAC tag condition（<code>secretsmanager:ResourceTag/team = payments</code>）限縮 blast radius。對應 <a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/circleci-2023-secrets-rotation/" data-link-title="7.R7.2.3 CircleCI 2023：CI secrets 輪替壓力" data-link-desc="工程端點入侵後，CI 平台 secrets 如何成為高風險擴散點">CircleCI 2023 Secrets Rotation</a> — CI 出事時要能依 tag 快速列出 <em>CI runner 可拿的所有 secret</em>、沒這套 tag 就只能盲目 rotate 全部。</p>
<p><strong>KMS encryption key 選 CMK 不是 default</strong>：每個 secret 用一把 KMS key 加密、預設用 AWS-managed key <code>aws/secretsmanager</code>、production 應該換 customer-managed key（CMK）。差別在 <em>key policy 是不是自己控</em> — AWS-managed key 的 policy 同 account 任何 service 可呼叫、CMK 的 key policy 可以鎖到 only Secrets Manager service principal 加 only specific role 可 Decrypt。對應 <a href="/blog/backend/07-security-data-protection/red-team/cases/identity-access/microsoft-storm-0558-2023-signing-key-chain/" data-link-title="7.R7.1.5 Microsoft Storm-0558 2023：簽章金鑰鏈與郵件存取" data-link-desc="從簽章金鑰保護失效到雲端郵件存取，拆解身分信任鏈的關鍵控制點">Storm-0558</a> 的對照啟示：<em>key 的 blast radius 來自 key policy</em>、用 CMK 把 policy 寫窄是減 blast radius 的關鍵動作。</p>
<p><strong>Built-in Rotation Lambda 只限 AWS native DB</strong>：Secrets Manager 內建 rotation template 涵蓋 RDS（PostgreSQL / MySQL / MariaDB / Oracle / SQL Server）/ Aurora / Redshift / DocumentDB — 拿 AWS 提供的 Lambda template、設定 rotation interval（最短 1 天、最長 365 天）、Secrets Manager 自動排程觸發。其他 DB（self-hosted PostgreSQL、MongoDB Atlas、Snowflake）或 API key 要寫 <em>Custom Rotation Lambda</em>、走 4-step state machine：<code>createSecret</code>（產新 credential 存為 AWSPENDING）、<code>setSecret</code>（把新 credential 寫到 target system）、<code>testSecret</code>（用新 credential 驗證可連）、<code>finishSecret</code>（promote AWSPENDING → AWSCURRENT）。Lambda 任一步失敗 Secrets Manager 會 rollback、舊 credential 不受影響。</p>
<p><strong>Staging Label（AWSCURRENT / AWSPENDING / AWSPREVIOUS）</strong>：staging label 是 <em>指向 version 的 pointer</em>、app 一律用 <code>GetSecretValue</code> 不帶 VersionStage 拿 AWSCURRENT、rotation 過程中 Secrets Manager 先把新 credential 標 AWSPENDING、testSecret 過後 promote 到 AWSCURRENT、舊的降到 AWSPREVIOUS。設計初衷是 <em>zero-downtime rotation</em> — 但 <em>只有 app 端支援 AWSPREVIOUS fallback</em> 期間才有意義：rotation 完成瞬間有些 app instance 還拿著舊 credential，target system 應該同時接受 AWSCURRENT 跟 AWSPREVIOUS（DB rotation template 會在 setSecret 階段保留舊 user 一段時間）。對應 <a href="/blog/backend/07-security-data-protection/cases/failure-credential-rotation-without-scope/" data-link-title="7.C9 反例：憑證輪替未分 Scope" data-link-desc="憑證輪替若未分域分批，容易造成跨系統連鎖中斷。">Failure: Credential Rotation Without Scope</a>：scope map 沒做、AWSPREVIOUS 窗口期太短、長尾 batch job 拿到舊 credential 就掛。</p>
<p><strong>Cross-Region Replica</strong>：multi-region app 把 secret replicate 到其他 region、replica 在 replica region 有獨立 ARN、KMS key 跟 rotation 都要在 replica region 各自配（不能跨 region 共用 KMS key）。replica 是 <em>讀副本</em>、寫只能在 primary region、rotation 觸發後新 version 自動 sync 到 replica（有秒級延遲）。failover 時 app 直接讀 replica region ARN、不需要 cross-region call。</p>
<p><strong>Cross-Account Sharing</strong>：跨帳號 share secret 走 Resource Policy + 對方帳號 IAM Policy 雙向授權 — Resource Policy 列對方 account 的具體 role ARN、對方 role 的 IAM Policy 加 <code>GetSecretValue</code> 對應 ARN。KMS key 也要跨帳號授權（KMS key policy 加對方 role 的 Decrypt 權限）— 漏了 KMS 授權會出現 <em>GetSecretValue 成功但 Decrypt 失敗</em> 的詭異錯誤。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>AWS Secrets Manager</th>
          <th>SSM Parameter Store SecureString</th>
          <th><a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault</a></th>
          <th><a href="/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager</a></th>
          <th><a href="/blog/backend/07-security-data-protection/vendors/azure-key-vault/" data-link-title="Azure Key Vault" data-link-desc="Azure 三合一 service（Secret &#43; Key &#43; Certificate）、整合 Managed Identity &#43; Entra ID RBAC、Premium tier 走 HSM">Azure Key Vault</a></th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>部署模型</td>
          <td>AWS managed</td>
          <td>AWS managed</td>
          <td>自管 cluster</td>
          <td>GCP managed</td>
          <td>Azure managed</td>
      </tr>
      <tr>
          <td>跨雲</td>
          <td>弱 — 綁 AWS</td>
          <td>弱 — 綁 AWS</td>
          <td>強</td>
          <td>弱 — 綁 GCP</td>
          <td>弱 — 綁 Azure</td>
      </tr>
      <tr>
          <td>每月每 secret 成本</td>
          <td>~$0.40 + API call</td>
          <td>free / advanced ~$0.05/10k</td>
          <td>self-hosted 成本</td>
          <td>~$0.06 + API call</td>
          <td>~$0.03 + operation</td>
      </tr>
      <tr>
          <td>Built-in rotation</td>
          <td>RDS / Redshift / DocumentDB 內建 Lambda</td>
          <td>無</td>
          <td>dynamic engine 自動發短期 credential</td>
          <td>無 built-in</td>
          <td>Key Vault rotation policy（key 為主）</td>
      </tr>
      <tr>
          <td>Staging label</td>
          <td>AWSCURRENT / AWSPENDING / AWSPREVIOUS</td>
          <td>無、用 version number</td>
          <td>KV v2 用 version</td>
          <td>version 機制</td>
          <td>version 機制</td>
      </tr>
      <tr>
          <td>Cross-account share</td>
          <td>Resource Policy + IAM</td>
          <td>不支援（同 account only）</td>
          <td>Vault namespace + policy</td>
          <td>IAM cross-project</td>
          <td>RBAC cross-tenant</td>
      </tr>
      <tr>
          <td>Dynamic credential</td>
          <td>無（rotation Lambda 是 static 換 static）</td>
          <td>無</td>
          <td>有（DB / cloud / SSH engine）</td>
          <td>弱（IAM impersonation）</td>
          <td>弱（Managed Identity）</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>AWS-only + static secret + RDS rotation 為主</td>
          <td>AWS-only + 大量低敏 config + 不需 rotation</td>
          <td>跨雲 + dynamic credential + 內部 PKI</td>
          <td>GCP-only + Workload Identity 已主導</td>
          <td>Azure-only + Managed Identity 已主導</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>低</td>
          <td>低</td>
          <td>中</td>
          <td>低</td>
          <td>低</td>
      </tr>
  </tbody>
</table>
<p>選 Secrets Manager 的核心訴求：<em>AWS-only</em> + <em>大部分 secret 是 static 或 AWS native DB credential</em> + <em>需要 cross-account share 或 rotation Lambda</em> + <em>不想 / 沒量能自管 Vault</em>。如果只是要存 config（feature flag、non-sensitive endpoint）、Parameter Store 8 倍便宜；如果跨雲 + 需要 dynamic credential / transit / PKI、Vault 才能滿足。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Custom Rotation Lambda 設計</strong>：4-step state machine 是 <em>idempotent contract</em> — Lambda 必須能被 Secrets Manager 重試任意步驟而不破壞狀態。常見實作陷阱：createSecret 不檢查 AWSPENDING 是否已存在、重試時又產生一把新的、AWSPENDING 對不上 setSecret 寫進去的；setSecret 沒處理「target system 已經有同名 user」的情況、第二次跑會卡住。Template 提供的 PostgreSQL rotation Lambda 用 <em>cloning approach</em> — 在 DB 內 clone 一份 user、改密碼、保留舊 user 跨 rotation 一個週期、下次 rotation 才 drop。</p>
<p><strong>Resource Policy + ABAC tag 跨帳號</strong>：跨帳號 share 時用 ABAC tag 條件比硬列 role ARN 有彈性 — Resource Policy 寫 <code>Condition: aws:PrincipalTag/team = payments</code>、對方 account 任何帶該 tag 的 role 都可讀。代價是 <em>tag 治理</em> 變成 critical control：對方 account 內誰能 attach tag = 誰能拿 secret、IAM Policy 要鎖 <code>iam:TagRole</code> 跟 <code>iam:UntagRole</code> 權限。</p>
<p><strong>Rotation 失敗的監控訊號</strong>：Lambda 執行失敗會在 CloudWatch 留 invocation error、Secrets Manager 把 rotation 標記為 failed、但 <em>secret 仍可用</em>（AWSCURRENT 保留舊 version）— 容易出現 <em>半年沒 rotate 成功但 app 看起來正常</em> 的盲區。要監控 <code>SecretsManager.RotationFailed</code> event（EventBridge rule）+ <code>LastRotatedDate</code> metric 超過 rotation interval 1.5 倍就 alert。</p>
<p><strong>跟 <a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM</a> 整合</strong>：誰可以 <code>GetSecretValue</code> 完全由 IAM 控制、最佳實踐是 <em>workload role</em> 拿 secret（EC2 instance role / ECS task role / Lambda execution role / EKS IRSA）、不要硬把 AWS credential 塞進 secret 再給 application read。Secret 內容應該是 <em>DB password / API token / third-party credential</em>、不應該是 <em>AWS credential</em>（AWS credential 用 IAM role 短期 STS 拿就好）。</p>
<p><strong>CloudTrail data event 的成本權衡</strong>：開 <code>GetSecretValue</code> data event 等於每次 secret 取用都進 CloudTrail、高 QPS application 一天可能跑數百萬筆、CloudTrail 成本（每 100k events 約 $0.10）跟 S3 儲存成本會明顯上升。降本作法：在 EventBridge 用 <em>filtering</em>（只送特定 sensitive secret 的 data event 到 SIEM）、CloudWatch Logs 端設 retention 短一點（7-30 天熱資料、長尾走 S3 + Athena）。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>GetSecretValue AccessDenied 但 IAM Policy 看起來對</strong>：檢查 Resource Policy 是否限定 source account / VPC、檢查 KMS key policy 是否允許該 role Decrypt — 兩層 grant + KMS 三點任一缺都會 AccessDenied</li>
<li><strong>跨帳號 secret 拿不到</strong>：Resource Policy 沒列對方 role、或 KMS key policy 沒給對方 Decrypt 權限 — 跨帳號要同步配三處（Resource Policy + 對方 IAM + KMS key policy）</li>
<li><strong>Rotation 一直失敗但沒人發現</strong>：沒設 EventBridge alert on <code>RotationFailed</code>、AWSCURRENT 保持舊 version、app 正常但 secret 過期 — 必設 LastRotatedDate metric alert</li>
<li><strong>App 拿到 stale secret rotation 後爆掉</strong>：app 端用了 SDK cache（如 AWS SDK 的 Secrets Manager Cache）、rotation 完成後 cache 沒 invalidate — cache TTL 要短於 staging label 重疊窗口、或實作 retry-on-auth-fail 觸發 cache refresh</li>
<li><strong>CloudTrail 看不到誰拿 secret</strong>：沒開 data event logging — 在 CloudTrail trail 設定加上 <code>AWS::SecretsManager::Secret</code> 為 data resource</li>
<li><strong>跨 region replica rotation 失效</strong>：rotation Lambda 只在 primary region 配、replica region 沒對應 Lambda — 每個 region 各自配 Lambda、或乾脆只在 primary rotate 讓 replica 自動 sync</li>
<li><strong>AWSPREVIOUS fallback 沒生效 batch job 掛</strong>：rotation Lambda finishSecret 太快 drop 舊 user、batch job 拿到舊 credential 連 DB 失敗 — DB rotation template 預設保留舊 user 一個 rotation 週期、custom Lambda 要自己實作雙軌窗口</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>大量低敏 config / feature flag</td>
          <td><a href="https://docs.aws.amazon.com/systems-manager/">SSM Parameter Store</a>（free tier、無 rotation 需求）</td>
      </tr>
      <tr>
          <td>跨雲統一 secret 控制面</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a></td>
      </tr>
      <tr>
          <td>Dynamic DB credential（non-AWS DB）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault database engine</a></td>
      </tr>
      <tr>
          <td>Workload 拿 AWS credential</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM</a> role（EC2 instance role / ECS task role / IRSA）— 不要把 AWS credential 塞 secret</td>
      </tr>
      <tr>
          <td>Encryption-as-a-service / envelope encryption</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">AWS KMS</a> Encrypt / Decrypt API、或 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">Vault transit engine</a></td>
      </tr>
      <tr>
          <td>內部 PKI / mTLS workload cert</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/cert-manager/" data-link-title="cert-manager" data-link-desc="K8s 原生 certificate lifecycle automation、支援 Let&#39;s Encrypt / Vault PKI / Venafi 等多 issuer、auto-renewal &#43; Challenge solver">cert-manager</a> + <a href="/blog/backend/07-security-data-protection/vendors/aws-acm/" data-link-title="AWS ACM" data-link-desc="AWS-managed certificate provisioning、DNS validation &#43; auto-renewal、整合 ELB / CloudFront / API Gateway、Private CA 後端">AWS Private CA</a></td>
      </tr>
      <tr>
          <td>Secret rotation 跨服務 scope 治理</td>
          <td><a href="/blog/backend/07-security-data-protection/credential-rotation-scoped-evidence/" data-link-title="7.27 Credential Rotation with Scoped Evidence 實作示範" data-link-desc="以 webhook/API credential 輪替示範 scope map、證據欄位與回退窗口如何一起設計。">7.5 Credential Rotation Scoped Evidence</a></td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Secrets Manager 完整 API reference 跟 SDK 用法</li>
<li>每種 RDS engine 的 rotation Lambda template 內部 SQL 細節</li>
<li>AWS pricing 詳細計算（每 region 略有差異）</li>
<li>Terraform / CDK 跟 Secrets Manager 的 IaC 整合</li>
<li>AWS account organization / SCP 怎麼限制 secret 建立</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<p>Secrets Manager 在 07 案例庫沒有直接 vendor-level 事件、以下案例採對照引用：</p>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Secrets Manager 的關係（對照）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/cases/failure-credential-rotation-without-scope/" data-link-title="7.C9 反例：憑證輪替未分 Scope" data-link-desc="憑證輪替若未分域分批，容易造成跨系統連鎖中斷。">Failure: Credential Rotation Without Scope</a></td>
          <td>Secrets Manager rotation 必須有 scope map — 跨服務共用同一把 secret 時、AWSPREVIOUS 窗口期 + 雙軌驗證要對齊長尾 batch job、不能單靠 Lambda 自動 promote</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/circleci-2023-secrets-rotation/" data-link-title="7.R7.2.3 CircleCI 2023：CI secrets 輪替壓力" data-link-desc="工程端點入侵後，CI 平台 secrets 如何成為高風險擴散點">CircleCI 2023 Secrets Rotation (red-team)</a></td>
          <td>CI 出事時 Secrets Manager 內 <em>所有 CI runner role 可拿的 secret</em> 都要 rotate — 必須事先以 ABAC tag 標 blast radius、不然只能盲掃整個 account</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/identity-access/microsoft-storm-0558-2023-signing-key-chain/" data-link-title="7.R7.1.5 Microsoft Storm-0558 2023：簽章金鑰鏈與郵件存取" data-link-desc="從簽章金鑰保護失效到雲端郵件存取，拆解身分信任鏈的關鍵控制點">Microsoft Storm-0558 Signing Key Chain (red-team)</a></td>
          <td>對照啟示 — Secrets Manager 的 KMS encryption key 必須走 CMK 而非 AWS-managed key、key policy 限定 only Secrets Manager service principal 且 only specific role 可 Decrypt、把 blast radius 鎖在 key policy 內</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/secrets-and-machine-credential-governance/" data-link-title="7.6 秘密管理與機器憑證治理" data-link-desc="以問題驅動方式整理 secret、token、key 與機器身份治理">7.6 秘密管理與機器憑證治理</a>、<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">7.13 偵測覆蓋率與訊號治理</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a>、<a href="/blog/backend/07-security-data-protection/vendors/google-secret-manager/" data-link-title="Google Secret Manager" data-link-desc="GCP 原生 secret store、CMEK &#43; Workload Identity Federation 整合、rotation 走自寫 Cloud Function 而非 built-in Lambda">Google Secret Manager</a>、<a href="/blog/backend/07-security-data-protection/vendors/azure-key-vault/" data-link-title="Azure Key Vault" data-link-desc="Azure 三合一 service（Secret &#43; Key &#43; Certificate）、整合 Managed Identity &#43; Entra ID RBAC、Premium tier 走 HSM">Azure Key Vault</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/aws-kms/" data-link-title="AWS KMS" data-link-desc="AWS 原生 key management service、envelope encryption / digital signing / Multi-Region Key、Key Policy &#43; Grant 雙軌授權">AWS KMS</a>（Secrets Manager 加密 key custodian、CMK 與 key policy 治理）</li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/aws-iam/" data-link-title="AWS IAM" data-link-desc="AWS cloud resource permission engine、Role / Policy / STS、跨帳號信任邊界與 OIDC federation 的核心">AWS IAM</a>（誰可以 GetSecretValue、跨帳號 share 的 principal 來源）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（secret 外洩事件如何 routing 進 IR 流程）</li>
<li>官方：<a href="https://docs.aws.amazon.com/secretsmanager/">AWS Secrets Manager Documentation</a></li>
</ul>
]]></content:encoded></item><item><title>Vault → AWS Secrets Manager：「secret」不是「secret」、identity model 才是核心差異</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/hashicorp-vault/migrate-to-aws-secrets-manager/</link><pubDate>Tue, 19 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/hashicorp-vault/migrate-to-aws-secrets-manager/</guid><description>&lt;blockquote>
&lt;p>本文是跨 vendor migration playbook、cross-link &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault&lt;/a> 跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &amp;#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager&lt;/a>。本文同時是 &lt;a href="https://tarrragon.github.io/blog/report/data-topology-as-audit-dimension/" data-link-title="Data topology 是 process content 的第 6 audit 維度" data-link-desc="Process content 的 diff dimension audit 原本 5 維（schema / operational / paradigm / components / application change）漏了 *data topology* — 資料在 cluster / partition / region 之間的分佈拓樸；topology 不在既有 5 維任一個、但決定 re-sharding / partition redesign / multi-region rollout 的結構；本卡擴 audit 到 6 維、新增 Type F「Topology re-layout」結構">#128 self-aware limitation&lt;/a> 第 1 點「6 維仍可能漏類（identity / consistency / residency 三軸候選）」的 &lt;em>identity 軸驗證&lt;/em>。&lt;/p>&lt;/blockquote>
&lt;h2 id="secret不是secret兩家對secret的定義不同">「secret」不是「secret」：兩家對「secret」的定義不同&lt;/h2>
&lt;p>把 Vault → AWS Secrets Manager 當成「secret store 替換」是最常見的誤判 — 兩家的「secret」概念跨完全不同的 identity model：&lt;/p>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>概念&lt;/th>
 &lt;th>HashiCorp Vault&lt;/th>
 &lt;th>AWS Secrets Manager&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Secret 本身&lt;/td>
 &lt;td>一個 secret path（&lt;code>secret/data/myapp/db&lt;/code>）&lt;/td>
 &lt;td>一個 ARN（&lt;code>arn:aws:secretsmanager:us-east-1:...&lt;/code>）&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>存取者身份&lt;/td>
 &lt;td>Vault token（self-managed token TTL）&lt;/td>
 &lt;td>AWS principal（IAM user / role / federation）&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>授權模型&lt;/td>
 &lt;td>Vault policy（capabilities：read/create/&amp;hellip;）&lt;/td>
 &lt;td>IAM policy + Resource policy（雙層）&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Authentication&lt;/td>
 &lt;td>AppRole / Kubernetes / LDAP / OIDC / 自管 auth method&lt;/td>
 &lt;td>AWS Sigv4 + STS token / Identity Federation&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Dynamic credential&lt;/td>
 &lt;td>Vault database secrets engine（lease + renew）&lt;/td>
 &lt;td>Lambda rotation（無 lease 概念）&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Audit log&lt;/td>
 &lt;td>Vault audit log（自管 endpoint）&lt;/td>
 &lt;td>CloudTrail event（AWS 統一）&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Multi-tenant 隔離&lt;/td>
 &lt;td>Namespace + path-level policy&lt;/td>
 &lt;td>Account boundary + resource policy&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Tooling 整合&lt;/td>
 &lt;td>Application 端 Vault SDK / agent injector&lt;/td>
 &lt;td>AWS SDK + Lambda&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;p>&lt;strong>核心差異不在「存 secret 的地方」、在「身份從哪來、怎麼 enforce、怎麼 audit」。&lt;/strong> Migration 的真實工作量在 &lt;em>identity model 重設計&lt;/em>、不是 secret 搬遷。&lt;/p></description><content:encoded><![CDATA[<blockquote>
<p>本文是跨 vendor migration playbook、cross-link <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a> 跟 <a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager</a>。本文同時是 <a href="/blog/report/data-topology-as-audit-dimension/" data-link-title="Data topology 是 process content 的第 6 audit 維度" data-link-desc="Process content 的 diff dimension audit 原本 5 維（schema / operational / paradigm / components / application change）漏了 *data topology* — 資料在 cluster / partition / region 之間的分佈拓樸；topology 不在既有 5 維任一個、但決定 re-sharding / partition redesign / multi-region rollout 的結構；本卡擴 audit 到 6 維、新增 Type F「Topology re-layout」結構">#128 self-aware limitation</a> 第 1 點「6 維仍可能漏類（identity / consistency / residency 三軸候選）」的 <em>identity 軸驗證</em>。</p></blockquote>
<h2 id="secret不是secret兩家對secret的定義不同">「secret」不是「secret」：兩家對「secret」的定義不同</h2>
<p>把 Vault → AWS Secrets Manager 當成「secret store 替換」是最常見的誤判 — 兩家的「secret」概念跨完全不同的 identity model：</p>
<table>
  <thead>
      <tr>
          <th>概念</th>
          <th>HashiCorp Vault</th>
          <th>AWS Secrets Manager</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Secret 本身</td>
          <td>一個 secret path（<code>secret/data/myapp/db</code>）</td>
          <td>一個 ARN（<code>arn:aws:secretsmanager:us-east-1:...</code>）</td>
      </tr>
      <tr>
          <td>存取者身份</td>
          <td>Vault token（self-managed token TTL）</td>
          <td>AWS principal（IAM user / role / federation）</td>
      </tr>
      <tr>
          <td>授權模型</td>
          <td>Vault policy（capabilities：read/create/&hellip;）</td>
          <td>IAM policy + Resource policy（雙層）</td>
      </tr>
      <tr>
          <td>Authentication</td>
          <td>AppRole / Kubernetes / LDAP / OIDC / 自管 auth method</td>
          <td>AWS Sigv4 + STS token / Identity Federation</td>
      </tr>
      <tr>
          <td>Dynamic credential</td>
          <td>Vault database secrets engine（lease + renew）</td>
          <td>Lambda rotation（無 lease 概念）</td>
      </tr>
      <tr>
          <td>Audit log</td>
          <td>Vault audit log（自管 endpoint）</td>
          <td>CloudTrail event（AWS 統一）</td>
      </tr>
      <tr>
          <td>Multi-tenant 隔離</td>
          <td>Namespace + path-level policy</td>
          <td>Account boundary + resource policy</td>
      </tr>
      <tr>
          <td>Tooling 整合</td>
          <td>Application 端 Vault SDK / agent injector</td>
          <td>AWS SDK + Lambda</td>
      </tr>
  </tbody>
</table>
<p><strong>核心差異不在「存 secret 的地方」、在「身份從哪來、怎麼 enforce、怎麼 audit」。</strong> Migration 的真實工作量在 <em>identity model 重設計</em>、不是 secret 搬遷。</p>
<p>跑 <a href="/blog/report/content-structure-by-max-diff-dimension/" data-link-title="Process content 結構由最大差異維度決定、不是 universal phased" data-link-desc="跨 X process content（migration / upgrade / rollout / playbook）的結構由 source / target 之間 *差異維度組合* 決定、不存在 universal phased 模板；6 種 migration / process type 實證（schema 差 / drop-in / operational / multi-tool / paradigm / topology re-layout）跑出 6 種不同結構；寫作前必須做 *6 維 diff dimension audit* 才能決定結構、跳過會套錯模板">6 維 diff dimension audit</a>：</p>
<table>
  <thead>
      <tr>
          <th>維度</th>
          <th>評估</th>
          <th>等級</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Schema / API</td>
          <td>API 完全不同（Vault HTTP API vs AWS SDK）</td>
          <td>Medium</td>
      </tr>
      <tr>
          <td>Operational model</td>
          <td>Self-managed Vault cluster → AWS managed</td>
          <td><strong>High</strong></td>
      </tr>
      <tr>
          <td>Paradigm</td>
          <td>兩家都是 secret store paradigm</td>
          <td>Low</td>
      </tr>
      <tr>
          <td>Components</td>
          <td>Vault binary + storage backend → AWS SaaS</td>
          <td>Low</td>
      </tr>
      <tr>
          <td>Application change</td>
          <td>必改（SDK 換、auth method 換、retry pattern 換）</td>
          <td><strong>High</strong></td>
      </tr>
      <tr>
          <td>Data topology</td>
          <td>同 single instance, no sharding</td>
          <td>Low</td>
      </tr>
      <tr>
          <td><strong>Identity model</strong></td>
          <td><strong>完全不同（Vault token vs IAM principal）</strong></td>
          <td><strong>High</strong></td>
      </tr>
  </tbody>
</table>
<p>6 維 audit 抓不到「Identity model = High」這軸 — 用既有 6 維歸類、會走 Type C operational redesign + Application change 高維獨立段；但實際工作量分佈：</p>
<ul>
<li>Operational redesign（vault cluster 拆 / Lambda 配 / 監控換）：~25%</li>
<li>Application change（SDK / retry / token 換 IAM credential）：~30%</li>
<li><strong>Identity model 重設計（每個 secret 對應的 principal / policy / 跨 service auth chain）：~45%</strong></li>
</ul>
<p>最大工作量塊在 <em>identity model 重設計</em>、不在既有 6 維任一個。Identity 是 <em>候選的第 7 維</em>。</p>
<h2 id="identity-axis-是否獨立4-個論據">Identity axis 是否獨立：4 個論據</h2>
<p><strong>Yes、identity 是獨立軸</strong>：</p>
<ol>
<li><strong>Identity 不變 → operational 仍可變</strong>：Vault on-prem → Vault on-EKS、operational 變 high 但 identity model 不變（仍 Vault token）；可分開 audit</li>
<li><strong>Operational 不變 → identity 仍可變</strong>：Vault namespace 重組（管理 50 個 namespace → 5 個 namespace + namespace-level policy）、operational 不變但 identity boundary 重劃；可分開 audit</li>
<li><strong>Application change 不變 → identity 仍可變</strong>：純 infrastructure-level rotation（手動 → 自動）、application code 不變但 identity issuance flow 變；可分開 audit</li>
<li><strong>Paradigm 不變 → identity 仍可變</strong>：同樣是 secret store paradigm、Vault token vs IAM principal 是 identity model 差、不是 paradigm 差</li>
</ol>
<p><strong>No、identity 可塞 application change</strong>：</p>
<ul>
<li>反論：application code 改 SDK + IAM signer 都算 application change</li>
<li>拒絕：application change 是 <em>consequence</em>、不是 <em>root cause</em>；identity model 變動才是驅動 application change 的原因</li>
</ul>
<p>實證上、本文 migration 工作量 45% 在 identity 對位、確認 identity 是 <em>獨立的工作量主軸</em>、不該被壓進 application change 軸。</p>
<h2 id="結構type-c--identity-model-對位獨立段">結構：Type C + identity model 對位獨立段</h2>
<p>跟既有 Type C <a href="/blog/backend/01-database/vendors/postgresql/migrate-to-aurora/" data-link-title="PostgreSQL → Aurora Migration：protocol 相容、operational 重設計" data-link-desc="Aurora 號稱 PostgreSQL-compatible 但 operational model 不同（storage decouple / cluster endpoint / instance class / 自家備份）；遷移流程是混合（protocol drop-in &#43; operational phased）、5 個 production 踩雷（extension 不支援 / replication slot 不直通 / autovacuum 行為差 / IAM 認證強制 / cost model 換算）、跟 Patroni / read replica / DR 對位">PostgreSQL → Aurora</a> 對照、本文多出 <em>identity model 對位</em> 獨立段：</p>





<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="ln">1</span><span class="cl">1. 「secret」不是「secret」（identity axis paradox 開頭）
</span></span><span class="line"><span class="ln">2</span><span class="cl">2. Identity axis 是否獨立的論據
</span></span><span class="line"><span class="ln">3</span><span class="cl">3. 結構 differentiator（Type C + identity 獨立段）
</span></span><span class="line"><span class="ln">4</span><span class="cl">4. Identity model 對位（Vault → AWS principal mapping）
</span></span><span class="line"><span class="ln">5</span><span class="cl">5. Operational migration（4 phase）
</span></span><span class="line"><span class="ln">6</span><span class="cl">6. Application change（SDK + retry pattern）
</span></span><span class="line"><span class="ln">7</span><span class="cl">7. Production 故障演練
</span></span><span class="line"><span class="ln">8</span><span class="cl">8. Capacity / cost
</span></span><span class="line"><span class="ln">9</span><span class="cl">9. 整合 / 下一步</span></span></code></pre></div><p>9 章節、260-280 行。比標準 Type C 多 1 段（identity model 對位）+ 1 段（axis 獨立論據）。</p>
<h2 id="identity-model-對位">Identity model 對位</h2>





<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="ln"> 1</span><span class="cl">Vault concept                    →  AWS Secrets Manager 對應
</span></span><span class="line"><span class="ln"> 2</span><span class="cl">─────────────────────────────────   ────────────────────────────
</span></span><span class="line"><span class="ln"> 3</span><span class="cl">Vault token (auth 結果)           →  AWS STS temporary credential
</span></span><span class="line"><span class="ln"> 4</span><span class="cl">AppRole (auth method)             →  IAM role + AssumeRoleWithWebIdentity
</span></span><span class="line"><span class="ln"> 5</span><span class="cl">Kubernetes auth method            →  IAM Role for Service Account (IRSA)
</span></span><span class="line"><span class="ln"> 6</span><span class="cl">LDAP auth method                  →  IAM Identity Center (formerly SSO)
</span></span><span class="line"><span class="ln"> 7</span><span class="cl">Vault policy (capabilities)       →  IAM policy + Resource policy
</span></span><span class="line"><span class="ln"> 8</span><span class="cl">Path-level ACL (secret/db/*)      →  Resource ARN pattern (arn:aws:secretsmanager:...:secret:db/*)
</span></span><span class="line"><span class="ln"> 9</span><span class="cl">Namespace                         →  AWS account + resource-based isolation
</span></span><span class="line"><span class="ln">10</span><span class="cl">Audit device                      →  CloudTrail event
</span></span><span class="line"><span class="ln">11</span><span class="cl">Database secrets engine           →  Lambda rotation function</span></span></code></pre></div><p>每行對位都有 <em>語意差</em>、不是 1:1 mapping：</p>
<ul>
<li><strong>Vault token TTL vs AWS STS credential expiration</strong>：Vault token TTL 可由 application 主動 renew；STS credential 不能 renew、必須 re-assume</li>
<li><strong>Vault policy capabilities vs IAM action</strong>：Vault <code>read</code> capability 對應 AWS <code>secretsmanager:GetSecretValue</code>、但 AWS 還要 resource policy 允許；雙層授權</li>
<li><strong>Vault Kubernetes auth vs IRSA</strong>：兩者都是 K8s service account → secret access、但 IRSA 需要 EKS + OIDC provider 設置、Vault K8s auth 不需要</li>
</ul>
<p>Migration scope 包含每行對位的 <em>application-level 適配</em>、不是 secret 搬。</p>
<h2 id="operational-migration-4-phase">Operational migration (4 phase)</h2>
<h3 id="phase-0audit--design">Phase 0：Audit + design</h3>
<ul>
<li>列所有 Vault secret + path + 使用 application</li>
<li>每個 secret 對應 AWS principal（IAM role / IRSA / federation）</li>
<li>設計 ARN 命名規則（按 namespace / application / environment）</li>
<li>規劃 AWS account boundary（dev / staging / prod 分 account）</li>
</ul>
<h3 id="phase-1aws-secrets-manager--iam-設置">Phase 1：AWS Secrets Manager + IAM 設置</h3>
<ul>
<li>Terraform / CloudFormation 建 secret + IAM role + resource policy</li>
<li>設 IRSA / WebIdentity provider</li>
<li>預先建 staging secret、跑 application test</li>
</ul>
<h3 id="phase-2application-dual-read">Phase 2：Application dual-read</h3>





<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">1</span><span class="cl"><span class="c1"># Application 同時讀 Vault + AWS Secrets Manager</span>
</span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="k">def</span> <span class="nf">get_db_password</span><span class="p">():</span>
</span></span><span class="line"><span class="ln">3</span><span class="cl">    <span class="n">aws_value</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;secretsmanager&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="s1">&#39;myapp/db&#39;</span><span class="p">)[</span><span class="s1">&#39;SecretString&#39;</span><span class="p">]</span>
</span></span><span class="line"><span class="ln">4</span><span class="cl">    <span class="n">vault_value</span> <span class="o">=</span> <span class="n">vault_client</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="s1">&#39;secret/data/myapp/db&#39;</span><span class="p">)[</span><span class="s1">&#39;data&#39;</span><span class="p">][</span><span class="s1">&#39;data&#39;</span><span class="p">][</span><span class="s1">&#39;password&#39;</span><span class="p">]</span>
</span></span><span class="line"><span class="ln">5</span><span class="cl">
</span></span><span class="line"><span class="ln">6</span><span class="cl">    <span class="k">if</span> <span class="n">aws_value</span> <span class="o">!=</span> <span class="n">vault_value</span><span class="p">:</span>
</span></span><span class="line"><span class="ln">7</span><span class="cl">        <span class="n">logger</span><span class="o">.</span><span class="n">warning</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Secret diff between Vault and AWS!&#34;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">8</span><span class="cl">
</span></span><span class="line"><span class="ln">9</span><span class="cl">    <span class="k">return</span> <span class="n">aws_value</span>  <span class="c1"># Use AWS as source of truth</span></span></span></code></pre></div><p>跑 1-2 週、確認兩端一致 + AWS API latency / error rate 接受。</p>
<h3 id="phase-3cutover--cleanup">Phase 3：Cutover + cleanup</h3>
<ul>
<li>Application 端切到 AWS Secrets Manager only</li>
<li>Vault read-only 1-2 週 standby</li>
<li>之後 decommission Vault cluster</li>
</ul>
<h2 id="application-change">Application change</h2>
<p>Application 端必改的 4 個 pattern：</p>





<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">1</span><span class="cl"><span class="c1"># Before: Vault SDK</span>
</span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="kn">import</span> <span class="nn">hvac</span>
</span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="n">vault_client</span> <span class="o">=</span> <span class="n">hvac</span><span class="o">.</span><span class="n">Client</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="s1">&#39;https://vault.internal&#39;</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">vault_token</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">4</span><span class="cl"><span class="n">secret</span> <span class="o">=</span> <span class="n">vault_client</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="s1">&#39;secret/data/myapp/db&#39;</span><span class="p">)[</span><span class="s1">&#39;data&#39;</span><span class="p">][</span><span class="s1">&#39;data&#39;</span><span class="p">][</span><span class="s1">&#39;password&#39;</span><span class="p">]</span>
</span></span><span class="line"><span class="ln">5</span><span class="cl">
</span></span><span class="line"><span class="ln">6</span><span class="cl"><span class="c1"># After: AWS SDK + IAM</span>
</span></span><span class="line"><span class="ln">7</span><span class="cl"><span class="kn">import</span> <span class="nn">boto3</span>
</span></span><span class="line"><span class="ln">8</span><span class="cl"><span class="n">sm</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;secretsmanager&#39;</span><span class="p">)</span>
</span></span><span class="line"><span class="ln">9</span><span class="cl"><span class="n">secret</span> <span class="o">=</span> <span class="n">sm</span><span class="o">.</span><span class="n">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="s1">&#39;myapp/db&#39;</span><span class="p">)[</span><span class="s1">&#39;SecretString&#39;</span><span class="p">]</span></span></span></code></pre></div><p>關鍵差異點：</p>
<ul>
<li><strong>Authentication</strong>：Vault token 由 application 自管 / refresh；AWS SDK 自動處理 STS credential（透過 IAM role / instance profile / IRSA）</li>
<li><strong>Caching</strong>：Vault secret read 通常 cache 5-15 分鐘；AWS Secrets Manager 有 cache library（aws-secretsmanager-caching-python）需顯式啟用</li>
<li><strong>Retry pattern</strong>：Vault 用 exponential backoff；AWS SDK 自帶 retry but boto3 default 跟 application requirement 不一定 match</li>
<li><strong>Rotation hook</strong>：Vault 用 SDK 端 lease renewal；AWS 用 Lambda rotation function、application 端只需要 re-read</li>
</ul>
<h2 id="production-故障演練">Production 故障演練</h2>
<h3 id="case-1iam-principal-對位錯production-application-拿不到-secret">Case 1：IAM principal 對位錯、production application 拿不到 secret</h3>
<p><strong>徵兆</strong>：cutover 後 application 啟動失敗、log 顯示 <code>AccessDeniedException: User: arn:aws:sts::...:assumed-role/EKS-NodeRole/i-xxx is not authorized to perform: secretsmanager:GetSecretValue</code>。</p>
<p><strong>根因</strong>：EKS pod 用 <em>node role</em> 而非 <em>pod IRSA role</em>；Phase 0 audit 沒設 service account 對應的 OIDC trust。</p>
<p><strong>修法</strong>：</p>
<ol>
<li><strong>預先設 IRSA</strong>：建 IAM OIDC provider for EKS、設 service account annotation</li>
<li><strong>驗證 principal</strong>：<code>aws sts get-caller-identity</code> 從 pod 內跑、確認 returned role 是預期的</li>
<li><strong>Resource policy + IAM policy 雙層</strong>：確認 secret 的 resource policy allow 該 role、IAM policy 也 allow</li>
</ol>
<h3 id="case-2dynamic-credential-對等失敗application-連-db-失敗">Case 2：Dynamic credential 對等失敗、application 連 DB 失敗</h3>
<p><strong>徵兆</strong>：Vault 端用 database secrets engine 自動 rotate DB password、application 透過 Vault SDK 拿 lease；切到 AWS Secrets Manager + Lambda rotation 後、Lambda rotation 完成、但 application 端仍用 cached old password、連 DB 拒絕。</p>
<p><strong>根因</strong>：Vault SDK 自帶 lease renewal logic、application 知道 password 即將過期會主動 re-read；AWS SDK 沒 lease 概念、application 自己決定多久 re-read 一次。</p>
<p><strong>修法</strong>：</p>
<ol>
<li><strong>設 cache TTL 短於 rotation interval</strong>：rotation 24 小時、cache TTL 1 小時、最壞情況 1 小時 stale</li>
<li><strong>顯式 cache invalidation</strong>：rotation Lambda 跑完發 SNS、application subscribe 主動 refresh</li>
<li><strong>Connection-level retry</strong>：DB connection 認證失敗時 application 重 fetch secret 跟重連</li>
<li><strong>重新評估 rotation cadence</strong>：AWS Lambda rotation 不是 <em>Vault dynamic</em>、是 <em>scheduled rotation</em>；不能假設兩者同 semantic</li>
</ol>
<h3 id="case-3audit-log-結構差soc-dashboard-失效">Case 3：Audit log 結構差、SOC dashboard 失效</h3>
<p><strong>徵兆</strong>：cutover 後 SOC 端 dashboard 顯示 secret access metric 全 0；舊 Vault audit log 結構在 Splunk 端 parse 過、AWS CloudTrail 結構完全不同、search query 全失效。</p>
<p><strong>根因</strong>：Vault audit log 是 <em>Vault-specific</em> JSON 結構（含 lease_id / policy / token）；CloudTrail event 是 <em>AWS-specific</em>（含 eventName / requestParameters / userIdentity）；SOC parse rule 不能搬。</p>
<p><strong>修法</strong>：</p>
<ol>
<li><strong>Pre-cutover 重寫 SOC rule</strong>：CloudTrail event 對應 Vault audit log 的 detection coverage 必須 1:1 mapping</li>
<li><strong>GuardDuty integration</strong>：AWS GuardDuty 自動 surface secret access anomaly、降低自寫 rule 工作量</li>
<li><strong>CloudTrail → S3 → Athena</strong>：long-term audit query 走 Athena、tooling 跟 Vault 完全不同、SOC re-training</li>
</ol>
<h3 id="case-4calling-cost-反轉aws-比-vault-自管貴">Case 4：Calling cost 反轉、AWS 比 Vault 自管貴</h3>
<p><strong>徵兆</strong>：Vault on-prem 跑了 $200 / month（EC2 + ops），切到 AWS Secrets Manager 後 $1500 / month；帳單拆解後 <code>GetSecretValue</code> API call 是大頭。</p>
<p><strong>根因</strong>：AWS Secrets Manager <code>$0.05 per 10K API call</code> — application 高頻 read（每 request 都讀 secret + 沒 cache）會爆 cost；Vault 端 application 自管 cache + token TTL 內無 API call。</p>
<p><strong>修法</strong>：</p>
<ol>
<li><strong>強制 application-side cache</strong>：用 aws-secretsmanager-caching library、cache TTL 5-15 分鐘、API call 從 100M/month 降到 10K/month</li>
<li><strong>Re-architect application</strong>：把 high-frequency secret read 改 connection-level（建 DB connection 時讀一次、connection lifecycle 內復用）</li>
<li><strong>Cost monitoring</strong>：對 secret access 設 CloudWatch alarm、過 threshold 立即 alert</li>
</ol>
<h3 id="case-5跨-region-replication-對位失敗dr-演練失效">Case 5：跨 region replication 對位失敗、DR 演練失效</h3>
<p><strong>徵兆</strong>：DR drill 切 region 後、application 連不到 secret；發現 us-west-2 的 Secrets Manager 沒有 us-east-1 的 secret。</p>
<p><strong>根因</strong>：AWS Secrets Manager 不是 <em>global resource</em>、是 <em>region-scoped</em>；Vault 自管 multi-DC replication；cutover 漏設 <em>cross-region replication</em>。</p>
<p><strong>修法</strong>：</p>
<ol>
<li><strong>設 secret replication</strong>：AWS Secrets Manager 內建 replication 到其他 region（<code>ReplicaRegions</code>）</li>
<li><strong>DR drill 必跑</strong>：cutover 前 + cutover 後各 drill 一次、驗證 region failover 順</li>
<li><strong>架構</strong>：考慮用 <em>AWS Backup</em> 對 Secrets Manager 做 cross-region backup 補強</li>
</ol>
<h2 id="capacity--cost">Capacity / cost</h2>
<table>
  <thead>
      <tr>
          <th>維度</th>
          <th>Vault self-managed</th>
          <th>AWS Secrets Manager</th>
          <th>Trade-off</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Setup cost</td>
          <td>Mid（自管 cluster + storage + HA）</td>
          <td>Low（一鍵建 secret）</td>
          <td>AWS 顯著低</td>
      </tr>
      <tr>
          <td>Operational FTE</td>
          <td>0.3-1 FTE</td>
          <td>0.05-0.1 FTE</td>
          <td>AWS 省 SRE</td>
      </tr>
      <tr>
          <td>Per-secret cost</td>
          <td>~$0（含在 cluster）</td>
          <td>$0.40 / month</td>
          <td>AWS 按 secret 數計費</td>
      </tr>
      <tr>
          <td>API call cost</td>
          <td>~$0（含在 cluster）</td>
          <td>$0.05 / 10K call</td>
          <td>High-frequency app 顯著貴</td>
      </tr>
      <tr>
          <td>Cross-region</td>
          <td>自管 replication</td>
          <td>內建 <code>ReplicaRegions</code></td>
          <td>AWS 簡化</td>
      </tr>
      <tr>
          <td>Audit</td>
          <td>Vault audit device</td>
          <td>CloudTrail（內建）</td>
          <td>AWS 跟 SOC pipeline 統一</td>
      </tr>
      <tr>
          <td>Identity integration</td>
          <td>多 auth method</td>
          <td>IAM + IRSA + Identity Center</td>
          <td>AWS 跟 cloud-native 整合好</td>
      </tr>
      <tr>
          <td>Total cost (100 secret, 50K read/day)</td>
          <td>$200 / mo (含 ops)</td>
          <td>$40 + $7 + replication = ~$50 / mo + ops 省</td>
          <td>AWS 1/4 cost、若 read 不爆</td>
      </tr>
  </tbody>
</table>
<p><strong>判讀</strong>：少 secret + 中頻 read 走 AWS Secrets Manager；高頻 read + multi-cloud / on-prem 約束走 Vault。</p>
<h2 id="整合--下一步">整合 / 下一步</h2>
<h3 id="跟-vault-dynamic-credential-對比">跟 <a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/dynamic-credential/" data-link-title="HashiCorp Vault Dynamic Credential：lease 治理跟 application 整合的實作層" data-link-desc="Vault database secrets engine 怎麼配、application 怎麼 renew lease、production 五大踩雷（lease 過期 race、DB max_connections 撞牆、Vault sealed、token expire、scope 過寬）、容量規劃跟 vault-agent injector 整合">Vault Dynamic Credential</a> 對比</h3>
<p>Vault dynamic credential 是 Vault 特有 feature、AWS Secrets Manager 用 <em>Lambda rotation</em> 對應、但 semantic 不同：</p>
<ul>
<li>Vault: per-application lease、application-aware lifecycle</li>
<li>AWS: scheduled rotation、application 不知道何時被 rotate</li>
</ul>
<p>Migration scope 應該 <em>降級</em> dynamic credential 場景、用 Lambda rotation 替代、application logic 改 cache + retry pattern。</p>
<h3 id="跟-iam-identity-center-整合">跟 IAM Identity Center 整合</h3>
<p>人類存取 secret（emergency break-glass）走 IAM Identity Center + temporary role assumption；不要直接給 user IAM key。</p>
<h3 id="下一步議題">下一步議題</h3>
<ul>
<li><strong>Reverse migration（AWS → Vault）</strong>：通常是 multi-cloud / on-prem 約束驅動、cost 在大 scale 反轉</li>
<li><strong>Hybrid pattern</strong>：cloud-native secret 走 AWS、cross-cloud / on-prem secret 走 Vault；應用程式根據 secret 來源 routing</li>
<li><strong>identity axis 驗證</strong>：本文認為 identity 是獨立軸、未來累積 LDAP → OIDC / 自管 RBAC → IAM 等 migration 驗證</li>
</ul>
<h2 id="相關連結">相關連結</h2>
<ul>
<li>Source vendor：<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/" data-link-title="HashiCorp Vault" data-link-desc="Self-hosted secret management 與 dynamic credential / encryption-as-a-service / PKI engine、跨雲跨環境的 secret 控制面">HashiCorp Vault</a></li>
<li>Target vendor：<a href="/blog/backend/07-security-data-protection/vendors/aws-secrets-manager/" data-link-title="AWS Secrets Manager" data-link-desc="AWS 原生 secret store &#43; 內建 RDS / Redshift rotation Lambda、Resource Policy 跨帳號共享、KMS 加密">AWS Secrets Manager</a></li>
<li>平行 deep article：<a href="/blog/backend/07-security-data-protection/vendors/hashicorp-vault/dynamic-credential/" data-link-title="HashiCorp Vault Dynamic Credential：lease 治理跟 application 整合的實作層" data-link-desc="Vault database secrets engine 怎麼配、application 怎麼 renew lease、production 五大踩雷（lease 過期 race、DB max_connections 撞牆、Vault sealed、token expire、scope 過寬）、容量規劃跟 vault-agent injector 整合">Vault Dynamic Credential</a></li>
<li>平行 migration playbook (Type C)：<a href="/blog/backend/01-database/vendors/postgresql/migrate-to-aurora/" data-link-title="PostgreSQL → Aurora Migration：protocol 相容、operational 重設計" data-link-desc="Aurora 號稱 PostgreSQL-compatible 但 operational model 不同（storage decouple / cluster endpoint / instance class / 自家備份）；遷移流程是混合（protocol drop-in &#43; operational phased）、5 個 production 踩雷（extension 不支援 / replication slot 不直通 / autovacuum 行為差 / IAM 認證強制 / cost model 換算）、跟 Patroni / read replica / DR 對位">PostgreSQL → Aurora</a>（標準 Type C） / <a href="/blog/backend/01-database/vendors/mongodb/migrate-to-atlas/" data-link-title="MongoDB → Atlas：Atlas 不是 MongoDB &#43; managed、是另一個 product" data-link-desc="Atlas 號稱「MongoDB managed」但 operational model 完全不同（auto-scaling / VPC peering / IAM-driven access / 內建 backup / billing 模型）；本文採用 Type C operational redesign hybrid 結構、4-phase operational migration &#43; drop-in cutover、5 個 production 踩雷（連線數限制 / IP whitelist / backup retention / IAM token 過期 / billing 暴漲）">MongoDB → Atlas</a></li>
<li>平行 axis 候選驗證 (sibling)：<a href="/blog/backend/01-database/vendors/dynamodb/consistency-model-optimization/" data-link-title="DynamoDB Strongly Consistent → Eventually Consistent：same protocol, different contract" data-link-desc="DynamoDB consistency model 從 strongly consistent read 改 eventually consistent read 是 50% cost 優化但風險集中在 application contract — 同 vendor / 同 protocol / 同 table / 不同 read consistency；驗證 [#128](/report/data-topology-as-audit-dimension/) self-aware limitation 提出的 consistency axis 候選；涵蓋 read pattern audit / 5 個 production 踩雷">DynamoDB Consistency Model</a>（consistency 候選） / <a href="/blog/backend/01-database/vendors/postgresql/multi-region-gdpr-rollout/" data-link-title="PostgreSQL Multi-Region GDPR Rollout：政策驅動的 migration 屬本 methodology 嗎" data-link-desc="PostgreSQL 單 region → multi-region 同時滿足 GDPR EU residency 是 *政策驅動* 兼 *topology 變動* 兼 *operational redesign* 的多軸 migration；驗證 [#128](/report/data-topology-as-audit-dimension/) self-aware limitation 提出的 residency axis 候選 — residency 是 driver 還是獨立 audit 軸；涵蓋 logical replication 配 GDPR / 5 個 production 踩雷 / cross-region cost">PostgreSQL Multi-Region GDPR Rollout</a>（residency 候選）</li>
<li>Methodology：<a href="/blog/posts/migration-playbook-%E6%96%B9%E6%B3%95%E8%AB%96%E7%9A%84%E6%BC%94%E5%8C%96%E7%B4%80%E9%8C%84stage-0-variant-%E8%A6%8F%E5%8A%83%E6%8A%8A-collapse-%E7%8E%87%E5%BE%9E-60-%E9%99%8D%E5%88%B0-0/" data-link-title="Migration Playbook 方法論的演化紀錄：Stage 0 variant 規劃把 collapse 率從 60% 降到 0%" data-link-desc="跨 vendor migration playbook 需要獨立寫作方法論的依據，以及這套方法論從三輪 batch dogfood 中演化出來的驗證證據。">Migration playbook methodology</a> / <a href="/blog/report/data-topology-as-audit-dimension/" data-link-title="Data topology 是 process content 的第 6 audit 維度" data-link-desc="Process content 的 diff dimension audit 原本 5 維（schema / operational / paradigm / components / application change）漏了 *data topology* — 資料在 cluster / partition / region 之間的分佈拓樸；topology 不在既有 5 維任一個、但決定 re-sharding / partition redesign / multi-region rollout 的結構；本卡擴 audit 到 6 維、新增 Type F「Topology re-layout」結構">#128 self-aware limitation 第 1 點</a>（identity axis 候選驗證、本文是該驗證的 dogfood）</li>
</ul>
]]></content:encoded></item></channel></rss>