Secure secrets storage

AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS). 

  • When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
  • Secrets Manager integrates with AWS Identity and Access Management (IAM) to control access to the secret using fine-grained IAM policies and resource-based policies.

Automatic secrets rotation without disrupting applications

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. 

  • Secrets Manager natively supports rotating credentials for databases hosted on HAQM RDS and HAQM DocumentDB and clusters hosted on HAQM Redshift.
  • You can extend Secrets Manager to rotate secrets used with other AWS or 3P services by modifying sample Lambda functions.

Automatic replication of secrets to multiple AWS Regions

With AWS Secrets Manager, you can automatically replicate your secrets to multiple AWS Regions to meet your unique disaster recovery and cross-regional redundancy requirements. Specify the AWS Regions where a secret needs to be replicated and Secrets Manager will securely create regional read replicas, eliminating the need to maintain a complex solution for this functionality. You can give your multi-Region applications access to replicated secrets in the required Regions and rely on Secrets Manager to keep the replicas in sync with the primary secret.

Programmatic retrieval of secrets

Build your applications with security of secrets top of mind.

  • Secrets Manager provides code samples to call Secrets Manager APIs from common programming languages. There are two types of APIs to retrieve secrets:
    • Retrieve a single secret by name or ARN.
    • Retrieve a group of secrets by providing a list of names or ARNs, or filter criteria such as tags.
  • Configure HAQM Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
  • You can also use Secrets Manager client-side caching libraries to improve availability and reduce latency during secrets retrieval.

Audit and monitor secrets usage

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS Region, you can audit when a secret is created or rotated by viewing AWS CloudTrail logs. Similarly, you can configure HAQM CloudWatch to receive email messages using HAQM Simple Notification Service when secrets remain unused for a period, or you can configure HAQM CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.

Compliance

You can use AWS Secrets Manager to meet compliance requirements.

  • Use AWS Config Rules to help you verify that your secrets are configured in accordance with your organization’s security and compliance requirements.
  • Manage secrets for workloads that are subject to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, DoD CC SRG IL4, and DoD CC SRG IL5), Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), Outsourced Service Provider’s Audit Report (OSPAR), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, Payment Card Industry Data Security Standard (PCI-DSS), or System and Organization Control (SOC).
  • View details of AWS’s compliance program and report in AWS Artifact.

Secrets Manager Integration

AWS services integrate with Secrets Manager to securely manage your credentials. These integrations help you securely exchange credentials with various AWS services. The credentials stored in Secrets Manager are encrypted either using AWS managed KMS keys or customer managed keys. Secrets Manager rotates secrets periodically to keep the security bar high. Once your secrets are stored with Secrets Manager, you will be able to provide the ARN of a secret instead of a plain text credential to an AWS service.

Integrated services

Alexa for Business
AWS App2Container
HAQM AppFlow
AWS AppSync
HAQM Athena
AWS CodeBuild
AWS Direct Connect
AWS Directory Service
HAQM DocumentDB (with MongoDB compatibility)
AWS Elemental MediaLive
AWS Elemental MediaConnect
AWS Elemental MediaConvert
HAQM CodeGuru Reviewer
AWS Elemental MediaPackage
AWS Elemental MediaTailor
HAQM EMR
HAQM EventBridge
HAQM FSx
AWS Glue DataBrew
AWS Glue Studio
AWS IoT SiteWise
HAQM Kendra
AWS Launch Wizard
HAQM Lookout for Metrics
HAQM Managed Streaming for Apache Kafka (HAQM MSK)
HAQM Managed Workflows for Apache Airflow (HAQM MWAA)
AWS Migration Hub
AWS OpsWorks for Chef Automate
HAQM Relational Database Service (HAQM RDS)
HAQM Redshift
HAQM Redshift query editor v2
HAQM SageMaker
AWS Toolkit for JetBrains
AWS Transfer Family