Skip to main content

Secure secrets storage

AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS). 

  • When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.

  • Secrets Manager integrates with AWS Identity and Access Management (IAM) to control access to the secret using fine-grained IAM policies and resource-based policies.

 

 

Automatic secrets rotation without disrupting applications

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. 

  • Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift.

  • You can extend Secrets Manager to rotate secrets used with other AWS or 3P services by modifying sample Lambda functions.

 

 

Automatic replication of secrets to multiple AWS Regions

With AWS Secrets Manager, you can automatically replicate your secrets to multiple AWS Regions to meet your unique disaster recovery and cross-regional redundancy requirements. Specify the AWS Regions where a secret needs to be replicated and Secrets Manager will securely create regional read replicas, eliminating the need to maintain a complex solution for this functionality. You can give your multi-Region applications access to replicated secrets in the required Regions and rely on Secrets Manager to keep the replicas in sync with the primary secret.

  

Programmatic retrieval of secrets

Build your applications with security of secrets top of mind.

  • Secrets Manager provides code samples to call Secrets Manager APIs from common programming languages. There are two types of APIs to retrieve secrets:

    • Retrieve a single secret by name or ARN.

    • Retrieve a group of secrets by providing a list of names or ARNs, or filter criteria such as tags.

  • Configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.

  • You can also use Secrets Manager client-side caching libraries to improve availability and reduce latency during secrets retrieval.

  

Audit and monitor secrets usage

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS Region, you can audit when a secret is created or rotated by viewing AWS CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.

  

Compliance

You can use AWS Secrets Manager to meet compliance requirements.

  • Use AWS Config Rules to help you verify that your secrets are configured in accordance with your organization’s security and compliance requirements.

  • Manage secrets for workloads that are subject to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, DoD CC SRG IL4, and DoD CC SRG IL5), Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), Outsourced Service Provider’s Audit Report (OSPAR), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, Payment Card Industry Data Security Standard (PCI-DSS), or System and Organization Control (SOC).

  • View details of AWS’s compliance program and report in AWS Artifact.

  

Secrets Manager Integration

AWS services integrate with Secrets Manager to securely manage your credentials. These integrations help you securely exchange credentials with various AWS services. The credentials stored in Secrets Manager are encrypted either using AWS managed KMS keys or customer managed keys. Secrets Manager rotates secrets periodically to keep the security bar high. Once your secrets are stored with Secrets Manager, you will be able to provide the ARN of a secret instead of a plain text credential to an AWS service.

Integrated services

Alexa for Business

AWS App2Container

Amazon AppFlow

AWS AppSync

Amazon Athena

AWS CodeBuild

AWS Direct Connect

AWS Directory Service

Amazon DocumentDB (with MongoDB compatibility)

AWS Elemental MediaLive

AWS Elemental MediaConnect

AWS Elemental MediaConvert

Amazon CodeGuru Reviewer

AWS Elemental MediaPackage

AWS Elemental MediaTailor

Amazon EMR

Amazon EventBridge

Amazon FSx

AWS Glue DataBrew

AWS Glue Studio

AWS IoT SiteWise

Amazon Kendra

AWS Launch Wizard

Amazon Lookout for Metrics

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

Amazon Managed Workflows for Apache Airflow (Amazon MWAA)

AWS Migration Hub

AWS OpsWorks for Chef Automate

Amazon Relational Database Service (Amazon RDS)

Amazon Redshift

Amazon Redshift query editor v2

Amazon SageMaker

AWS Toolkit for JetBrains

AWS Transfer Family