AWS Secrets Manager Documentation

Secure secrets storage

AWS Secrets Manager is designed to encrypt secrets at rest using encryption keys that you own and store in AWS Key Management Service (KMS). When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment. By default, Secrets Manager does not write or cache the secret to persistent storage. And, you can control access to the secret using fine-grained AWS Identity and Access Management (IAM) policies and resource-based policies. You can also tag secrets individually and apply tag-based access controls.

Automatic secrets rotation without disrupting applications

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI.

Automatic replication of secrets to multiple AWS Regions

With AWS Secrets Manager, you can replicate your secrets to multiple AWS Regions to enable you to meet your unique disaster recovery and cross-regional redundancy requirements.

Programmatic retrieval of secrets

You can store and retrieve secrets using the AWS Secrets Manager console, AWS SDK, AWS CLI, or AWS CloudFormation. To retrieve secrets, you replace plaintext secrets in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs.

Audit and monitor secrets usage

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services.
 
You can store and retrieve secrets using the AWS Secrets Manager console, AWS SDK, AWS CLI, or AWS CloudFormation. To retrieve secrets, you replace plaintext secrets in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs.

Secrets Manager Integrations

Secrets Manager integrates with certain AWS services to securely manage your credentials. These integrations help you securely exchange credentials with various AWS services.  

Compliance

AWS Secrets Manager enables you to manage secrets for workloads that are subject to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, DoD CC SRG IL4, and DoD CC SRG IL5), Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), Outsourced Service Provider’s Audit Report (OSPAR), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, Payment Card Industry Data Security Standard (PCI-DSS), or System and Organization Control (SOC).

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.