General

What is Amazon Secrets Manager?

Amazon Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the Amazon Web Services Cloud, on third-party services, and on-premises.

Why should I use Amazon Secrets Manager?

Amazon Secrets Manager protects access to your applications, services, and IT resources, without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Secrets Manager is for IT administrators looking for a secure and scalable method to store and manage secrets. Security administrators responsible for meeting regulatory and compliance requirements can use Secrets Manager to monitor secrets and rotate secrets without a risk of impacting applications. Developers who want to replace hardcoded secrets in their applications can retrieve secrets programmatically from Secrets Manager.

What can I do with Amazon Secrets Manager?

Amazon Secrets Manager enables you to store, retrieve, control access to, rotate, audit, and monitor secrets centrally.

You can encrypt secrets at rest to reduce the likelihood of unauthorized users viewing sensitive information. To retrieve secrets, you simply replace secrets in plain text in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs. You use Amazon Identity and Access Management (IAM) policies to control which users and applications can access these secrets. You can rotate passwords, on a schedule or on demand, for supported database types hosted on Amazon Web Services, without a risk of impacting applications. You can extend this functionality to rotate other secrets, such as passwords for Oracle databases hosted on Amazon EC2 or OAuth refresh tokens, by modifying sample Lambda functions. You can also audit and monitor secrets because Secrets Manager integrates with Amazon CloudTrail, Amazon CloudWatch, and Amazon Simple Notification Service (Amazon SNS).

What secrets can I manage in Amazon Secrets Manager?

You can manage secrets such as database credentials, on-premises resource credentials, SaaS application credentials, third-party API keys, and Secure Shell (SSH) keys. Secrets Manager enables you to store a JSON document which allows you to manage any text blurb that is 10 Kb or smaller.

What secrets can I rotate with Amazon Secrets Manager?

You can natively rotate credentials for Amazon Relational Database Service (RDS), Amazon DocumentDB, and Amazon Redshift. You can extend Secrets Manager to rotate other secrets, such as credentials for Oracle databases hosted on EC2 or OAuth refresh tokens, by modifying sample Amazon Lambda functions available in the Secrets Manager documentation.

How can my application use these secrets?

First, you must write an Amazon Identity and Access Management (IAM) policy permitting your application to access specific secrets. Then, in the application source code, you can replace secrets in plain text with code to retrieve these secrets programmatically using the Secrets Manager APIs. For the complete details and examples, please see the Amazon Secrets Manager User Guide.

How do I get started with Amazon Secrets Manager?

To get started with Amazon Secrets Manager:

Identify your secrets and locate where they are used in your applications.

Sign in to the Amazon Web Services Management Console using your Amazon credentials and navigate to the Secrets Manager console.

Use the Secrets Manager console to upload the secret you identified. Alternatively, you can use the Amazon  SDK or Amazon CLI to upload a secret (once per secret). You can also write a script to upload multiple secrets.

If your secret is not in use yet, follow the instructions on the console to configure automatic rotation. If applications are using your secret, complete steps (5) and (6) before configuring automatic rotation.

If other users or applications need to retrieve the secret, write an IAM policy to grant permissions to the secret.

Update your applications to retrieve secrets from Secrets Manager.

In what regions is Amazon Secrets Manager available?

Please visit the Amazon Web Services Region Table to see the current region availability for Amazon Web Services services.

Rotation

How does Amazon Secrets Manager implement database credential rotation without impacting applications?

Amazon Secrets Manager enables you to configure database credential rotation on a schedule. This enables you to follow security best practices and rotate your database credentials safely. When Secrets Manager initiates a rotation, it uses the super database credentials provided by you to create a clone user with the same privileges, but with a different password. Secrets Manager then communicates the clone user information to databases and applications retrieving the database credentials. To learn more about rotation, refer to Amazon Secrets Manager Rotation Guide.

Will rotating database credentials impact open connections?

No. Authentication happens when a connection is established. When Amazon Secrets Manager rotates a database credential, the open database connection is not re-authenticated.

How do I know when Amazon Secrets Manager rotates a database credential?

You can configure Amazon CloudWatch Events to receive a notification when Amazon Secrets Manager rotates a secret. You can also see when Secrets Manager last rotated a secret using the Secrets Manager console or APIs.

Security

How does Amazon Secrets Manager keep my secrets secure?
Amazon Secrets Manager encrypts at rest using encryption keys that you own and store in Amazon  Key Management Service (KMS). You can control access to the secret using Amazon Identity and Access Management (IAM) policies. When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment. By default, Secrets Manager does not write or cache the secret to persistent storage.

Who can use and manage secrets in Amazon Secrets Manager?

You can use Amazon Identity and Access Management (IAM) policies to control the access permissions of users and applications to retrieve or manage specific secrets. For example, you can create a policy that only enables developers to retrieve secrets used for the development environment. To learn more, visit Authentication and Access Control for Amazon Secrets Manager.

How does Amazon Secrets Manager encrypt my secrets?

Amazon Secrets Manager uses envelope encryption (AES-256 encryption algorithm) to encrypt your secrets in Amazon Key Management Service (KMS).

When you first use Secrets Manager, you can specify the Customer Master Keys (CMKs) to encrypt secrets. If you do not provide a CMK, Secrets Manager creates Amazon KMS default keys for your account automatically. When a secret is stored, Secrets Manager requests a plaintext and an encrypted data key from KMS. Secrets Manager uses the plaintext data key to encrypt the secret in memory. Amazon Secrets Manager stores and maintains the encrypted secret and encrypted data key. When a secret is retrieved, Secrets Manager decrypts the data key (using the Amazon KMS default keys) and uses the plaintext data key to decrypt the secret. The data key is stored encrypted and is never written to disk in plaintext. Also, Secrets Manager does not write or cache the plaintext secret to persistent storage.

Billing

How will I be charged and billed for my use of Amazon Secrets Manager?

With Secrets Manager, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, your credit card will automatically be charged for that month’s usage. You are charged for number of secrets you store and for API requests made to the service each month.

For current pricing information, visit Amazon Secrets Manager pricing.

Is there a free trial?

Yes, you can try Secrets Manager at no additional charge through the Amazon Secrets Manager 30-day free trial. The free trial enables you to rotate, manage, and retrieve secrets over the 30-day period. The free trial starts when you store your first secret.