AWS Secrets Manager features

Secure secrets storage

AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS). 

  • When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
  • Secrets Manager integrates with AWS Identity and Access Management (IAM) to control access to the secret using fine-grained IAM policies and resource-based policies.

Automatic secrets rotation without disrupting applications

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. 

  • Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift.
  • You can extend Secrets Manager to rotate secrets used with other AWS or 3P services by modifying sample Lambda functions.

Automatic replication of secrets to multiple AWS Regions

With AWS Secrets Manager, you can automatically replicate your secrets to multiple AWS Regions to meet your unique disaster recovery and cross-regional redundancy requirements. Specify the AWS Regions where a secret needs to be replicated and Secrets Manager will securely create regional read replicas, eliminating the need to maintain a complex solution for this functionality. You can give your multi-Region applications access to replicated secrets in the required Regions and rely on Secrets Manager to keep the replicas in sync with the primary secret.

Programmatic retrieval of secrets

Build your applications with security of secrets top of mind.

  • Secrets Manager provides code samples to call Secrets Manager APIs from common programming languages. There are two types of APIs to retrieve secrets:
    • Retrieve a single secret by name or ARN.
    • Retrieve a group of secrets by providing a list of names or ARNs, or filter criteria such as tags.
  • Configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
  • You can also use Secrets Manager client-side caching libraries to improve availability and reduce latency during secrets retrieval.

Audit and monitor secrets usage

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS Region, you can audit when a secret is created or rotated by viewing AWS CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.

Compliance

You can use AWS Secrets Manager to meet compliance requirements.

  • Use AWS Config Rules to help you verify that your secrets are configured in accordance with your organization’s security and compliance requirements.
  • Manage secrets for workloads that are subject to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, DoD CC SRG IL4, and DoD CC SRG IL5), Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), Outsourced Service Provider’s Audit Report (OSPAR), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, Payment Card Industry Data Security Standard (PCI-DSS), or System and Organization Control (SOC).
  • View details of AWS’s compliance program and report in AWS Artifact.

Secrets Manager Integration

AWS services integrate with Secrets Manager to securely manage your credentials. These integrations help you securely exchange credentials with various AWS services. The credentials stored in Secrets Manager are encrypted either using AWS managed KMS keys or customer managed keys. Secrets Manager rotates secrets periodically to keep the security bar high. Once your secrets are stored with Secrets Manager, you will be able to provide the ARN of a secret instead of a plain text credential to an AWS service.

Integrated services

Alexa for Business
AWS App2Container
Amazon AppFlow
AWS AppSync
Amazon Athena
AWS CodeBuild
AWS Direct Connect
AWS Directory Service
Amazon DocumentDB (with MongoDB compatibility)
AWS Elemental MediaLive
AWS Elemental MediaConnect
AWS Elemental MediaConvert
Amazon CodeGuru Reviewer
AWS Elemental MediaPackage
AWS Elemental MediaTailor
Amazon EMR
Amazon EventBridge
Amazon FSx
AWS Glue DataBrew
AWS Glue Studio
AWS IoT SiteWise
Amazon Kendra
AWS Launch Wizard
Amazon Lookout for Metrics
Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Amazon Managed Workflows for Apache Airflow (Amazon MWAA)
AWS Migration Hub
AWS OpsWorks for Chef Automate
Amazon Relational Database Service (Amazon RDS)
Amazon Redshift
Amazon Redshift query editor v2
Amazon SageMaker
AWS Toolkit for JetBrains
AWS Transfer Family