Architecture
Strongbox is serverless, meaning that there is no running service or API: everything is done on the client side, including direct communication with DynamoDB and KMS. Strongbox is integrated with your application either as a standard JVM library, or via the CLI. Encryption and decryption of Secrets are done client-side.
The SecretsGroupManager manages SecretsGroups. Each SecretsGroup has AWS resources associated with it: a DynamoDB table, a KMS key, and two IAM policies (read-only and admin).
