AWS Site-to-Site VPN: secure pre-shared key (PSK) Management with AWS Secrets Manager

In this intermediate-level post, we show network administrators and security professionals how to use the new AWS Secrets Manager integration with AWS Site-to-Site VPN to enhance your security posture. This feature eliminates plaintext pre-shared keys (PSKs) and helps customers to shift to centralized secret management, thus providing stronger access control, audit visibility through AWS CloudTrail, and improved operational hygiene-all at no extra cost.

AWS Site-to-Site VPN is a fully managed service that provides a secure and reliable way to connect your on-premises network to your Amazon Web Services (AWS) environment over the public internet using IP Security (IPSec) tunnels. Although PSKs have traditionally been used for authentication, they often present security management challenges for organizations.

Prerequisites

In the following sections, we assume that you are familiar with fundamental AWS networking services, such as:

• Amazon Virtual Private Cloud (VPC): A service that lets you launch AWS resources in a logically isolated virtual network.
• AWS Site to Site VPN: A service that creates encrypted connections between your network and your Amazon VPCs.
• Secrets Manager: A service that helps you protect access to your applications, services, and IT resources.

Key changes to AWS Site-to-Site VPN

When creating a Site-to-Site VPN connection, you need a PSK for each tunnel, either you can provide one or AWS can generate one for you. These PSKs are directly stored in the Site-to-Site VPN service. This new feature enables you to choose where to store these keys:

1. Standard storage (original method)
   • Stores the PSK directly in the Site-to-Site VPN service
   • Provides basic security for your connection credentials

2. Secrets Manager storage (new enhanced option)
   • Securely stores your PSKs in Secrets Manager
   • Creates a dedicated Secrets Manager Amazon Resource Name (ARN)
   • Enables centralized secret management with more security features
   • Provides audit capabilities for access to your PSKs
   • Supports automatic rotation policies (where applicable)

How it works

When you create a new Site-to-Site VPN connection through AWS Management Console, you now have the options for your PSKs.

Figure 1: PSKs storage options in the Console

As shown in Figure 1, you can choose either Standard storage (the default option) or Secrets Manager storage. When you choose Secrets Manager storage, AWS automatically creates a secret and stores your PSK values securely.

After creating your VPN connection with Secrets Manager storage, you can view the generated ARN on the connection details page, as shown in Figure 2.

Figure 2: Secret Management ARN in VPN Connection details page

To view the actual PSK value, follow these steps:

1. Navigate to Secrets Manager console
2. Choose Secrets from the left navigation panel
3. Locate your VPN PSK secret in this list
4. Choose the secret name to open its detail page
5. Choose the Retrieve Secret Value button to reveal the value of the PSK

Figure 3: PSK secret value

Creating a VPN Connection using Secrets Manager through AWS CLI

The new feature adds a pre-shared-key-storage parameter to the create-vpn-connection command. The following syntax shows how to create a VPN connection using the AWS CLI while specifying the PSK.

create-vpn-connection \
--customer-gateway-id <customer-gateway-id>
--type <vpn-type>
[--vpn-gateway-id <vpn-gateway-id>] 
[--transit-gateway-id <transit-gateway-id>] 
[--pre-shared-key-storage <key-storage-type>]

Example: creating a VPN connection using Secrets Manager

This example creates a new VPN connection to a Virtual Private Gateway (VGW) and stores the PSK in Secrets Manager.

aws create-vpn-connection \
--customer-gateway-id cgw-06fa98e11e66c3646 \
--type ipsec.1 \
--vpn-gateway-id vgw-0ae7deff670a92445 \
--pre-shared-key-storage SecretsManager

The command returns a JSON response containing the VPN connection details. The most important elements are as follows:

1. The VpnConnectionId, which identifies your new connection
2. The State field showing the connection status
3. The redacted PSKs in the CustomerGatewayConfiguration section

For brevity, we’ve omitted most of the output. The full response includes configuration details for both IPSec tunnels.

Describe VPN connection details through AWS CLI

To verify the configuration or retrieve the ARN of the associated secret, you can describe the VPN connection using the AWS CLI command describe-vpn-connection.

describe-vpn-connections
[--vpn-connection-ids <value>] 

Example: describe a VPN connection
The following is an example command that retrieves the details of a specific VPN connection, such as the reference to the Secrets Manager ARN.

describe-vpn-connections
[--vpn-connection-ids vpn-01d7549f4acca1f70]

This example retrieves the details of a specific VPN connection. Look for the PreSharedKeyArn field to confirm that the PSK is stored in Secrets Manager.

{
  "VpnConnections": [
    {
      ...
      "PreSharedKeyArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:s2svpn-preprod!vpn-0074cc1c3ce9a041e-1Skga6-pevysO",
      "VpnConnectionId": "vpn-0074cc1c3ce9a041e",
      "State": "pending",
      ...
    }
  ]
}

The PSKs in the CustomerGatewayConfiguration section are always redacted with *****REDACTED***** for security reasons, regardless of the storage method.

Migrating from standard plain text storage to Secrets Manager

If you have already setup a Site-to-Site VPN connection in your AWS environment, then the PSK is stored in Site-to-Site VPN service. You can get these PSK values by either downloading configuration file or describing the VPN connection using AWS CLI.

Figure 4. A screenshot of the PSk in the downloaded configuration file

The following figure shows that the Secret management ARN field is empty when using a plain text PSK.

Figure 5. Empty Secret management ARN in VPN Connection Details page

To migrate a PSK to Secrets Manager, navigate to the VPN dashboard and locate your Site-to-Site VPN connection as shown in the following figure. When chosen, open the Actions menu and choose Modify VPN Tunnel Options.

Figure 6. Modify VPN tunnel option under action menu for the selected VPN connection

Choose the drop down list and choose your VPN tunnel on the Modify VPN Tunnel Options page.

Figure 7. VPN tunnels under Modify VPN tunnel options

In the chosen tunnel page, now you have an option to choose Secrets Manager for PSK storage as shown in the following figure. After choosing Secrets Manager, choose Save Changes.

Figure 8. Options for selecting pre-shared key storage in site-to-site VPN console

This creates a Secrets Manager, stores the existing PSK in the Secrets Manager, and generates an ARN.

Figure 9. The ARN of the Secrets Manager for the Tunnel Migrated to Secrets Manager Storage

Figure 10. Newly created Site-to-Site VPN Secret for PSK

When the tunnel is up, repeat the process for the second tunnel.

Migrating to Secrets Manager through AWS CLI

If you want to migrate an existing VPN tunnel to use Secrets Manager storage, then the modify-vpn-tunnel-options command lets you switch the PSK storage type securely through AWS CLI.

modify-vpn-tunnel-options
--vpn-connection-id <value>
--vpn-tunnel-outside-ip-address <value>
[--pre-shared-key-storage <value>]
[--tunnel-options '{}']

Example: migrating a tunnel from standard storage to Secrets Manager

This command modifies an existing tunnel’s configuration to store its PSK in Secrets Manager. It keeps the original key but moves its storage location.

modify-vpn-tunnel-options
--vpn-connection-id vpn-01d7549f4acca1f70 \
--vpn-tunnel-outside-ip-address 54.71.32.128 \
--pre-shared-key-storage SecretsManager \
--tunnel-options '{}'

When the tunnel has been updated, use the following command to confirm that the PSK has been moved to Secrets Manager by checking the PreSharedKeyArn field in the output.

describe-vpn-connections
[--vpn-connection-ids vpn-01d7549f4acca1f70]

Key elements to look for in the response:

1. The PreSharedKeyArn field containing the Secrets Manager ARN
2. The State field showing modifying during the migration process
3. The redacted PSK in the configuration

Migration planning

When migrating from Standard storage to Secrets Manager, expect a brief downtime on the affected tunnel. We recommend:

• Performing migrations during scheduled maintenance windows
• Migrating one tunnel at a time
• Making sure that the first tunnel is up and running before proceeding with the changes on second tunnel

Considerations
When adopting AWS Secrets Manager for storing Site-to-Site VPN pre-shared keys (PSKs), keep the following in mind:

• Security benefits
  • Centralized management – Consolidate management of all VPN PSKs in a single, secure service.
  • Access control – Apply fine-grained AWS Identity and Access Management (IAM) policies to define who can access or update your VPN PSKs.
  • Audit capabilities – Track PSK access and usage through AWS CloudTrail logs.
  • Encryption – Ensure all PSKs are encrypted at rest with AWS Key Management Service (AWS KMS).
• Cost considerations
  • No additional cost for storing VPN PSKs in Secrets Manager when created through the Site-to-Site VPN service.
  • Standard AWS Secrets Manager pricing applies if you create additional secret versions or have frequent retrievals.
• Operational impact
  • Update operational procedures to include Secrets Manager monitoring and alerting.
  • Review and adjust IAM policies to ensure the right level of access to Secrets Manager resources.
  • Consider integrating PSKs into your existing secret rotation workflows.

About the authors