Skip to main content

AWS Secrets Manager Documentation

Secure secrets storage

AWS Secrets Manager is designed to encrypt secrets at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS). 

  • When you retrieve a secret, Secrets Manager is designed to decrypt the secret and transmit it securely over TLS to your local environment.
  • Secrets Manager is designed to integrate with AWS Identity and Access Management (IAM) to help control access to the secret using IAM and resource-based policies.

Secrets rotation

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI.

  • Secrets Manager is designed to natively support rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDBclusters hosted on Amazon Redshift, and third-party SaaS providers such as Salesforce and Snowflake (see full list here).
  • You can extend Secrets Manager to rotate secrets used with other services by modifying sample Lambda functions.

Secrets replication

With AWS Secrets Manager, you can replicate your secrets to multiple AWS Regions to enable you to meet your disaster recovery and cross-regional redundancy requirements.

Programmatic retrieval of secrets

Build your applications with security of secrets top of mind.

  • Secrets Manager provides code samples to call Secrets Manager APIs from common programming languages. There are two types of APIs to retrieve secrets:
    • Retrieve a single secret by name or ARN.
    • Retrieve a group of secrets by providing a list of names or ARNs, or filter criteria such as tags.
  • Configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
  • You can also use Secrets Manager client-side caching libraries to improve availability and reduce latency during secrets retrieval.

Audit and monitor secrets usage

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services.

Secrets Manager Integrations

AWS services are designed to integrate with Secrets Manager to securely manage your credentials. These integrations help you exchange credentials with various AWS services. The credentials stored in Secrets Manager are designed to be encrypted. Secrets Manager is designed to rotate secrets periodically. Once your secrets are stored with Secrets Manager, you are enabled to provide the ARN of a secret instead of a plain text credential to an AWS service.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.