Secure secrets storage

Amazon Secrets Manager encrypts secrets at rest using encryption keys that you own and store in Amazon Key Management Service (KMS). When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment. By default, Secrets Manager does not write or cache the secret to persistent storage. And, you can control access to the secret using fine-grained Amazon Identity and Access Management (IAM) policies and resource-based policies. You can also tag secrets individually and apply tag-based access controls. For example, you can tag secrets used in the production environment as “Prod,” and then write an IAM policy to grant access to these secrets only if the requests are coming from within the corporate IT network.

Automatic secrets rotation without disrupting applications

With Amazon Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, Amazon SDK, or Amazon CLI. For example, to rotate a database password, you provide the database type, rotation frequency, and master database credentials when storing the password in Secrets Manager. Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and clusters hosted on Amazon Redshift. You can extend Secrets Manager to rotate other secrets by modifying sample Lambda functions. For example, you can rotate OAuth refresh tokens used to authorize applications or passwords used for MySQL databases hosted on-premises. Users and applications retrieve secrets by replacing hardcoded secrets with a call to Secrets Manager APIs, enabling you to automate secret rotation while ensuring applications run without interruption.

Programmatic retrieval of secrets

You can store and retrieve secrets using the Amazon Secrets Manager console, Amazon SDK, Amazon CLI, or Amazon CloudFormation. To retrieve secrets, you simply replace plaintext secrets in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs. Secrets Manager provides code samples to call Secrets Manager APIs, also available on the Secrets Manager Resources page. You can configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the Amazon Web Services network. You can also use Secrets Manager client-side caching libraries to improve the availability and reduce the latency of using your secrets.

Audit and monitor secrets usage

Amazon Secrets Manager enables you to audit and monitor secrets through integration with Amazon Web Services logging, monitoring, and notification services. For example, after enabling Amazon CloudTrail for an Amazon region, you can audit when a secret is stored or rotated by viewing Amazon Web Services CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.