Amazon Secrets Manager FAQs

Amazon Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the Amazon Web Services Cloud, on third-party services, and on-premises.

Amazon Secrets Manager protects access to your applications, services, and IT resources, without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Secrets Manager is for IT administrators looking for a secure and scalable method to store and manage secrets. Security administrators responsible for meeting regulatory and compliance requirements can use Secrets Manager to monitor secrets and rotate secrets without a risk of impacting applications. Developers who want to replace hardcoded secrets in their applications can retrieve secrets programmatically from Secrets Manager.

Amazon Secrets Manager enables you to store, retrieve, control access to, rotate, audit, and monitor secrets centrally.

You can encrypt secrets at rest to reduce the likelihood of unauthorized users viewing sensitive information. To retrieve secrets, you simply replace secrets in plain text in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs. You use Amazon Identity and Access Management (IAM) policies to control which users and applications can access these secrets. You can rotate passwords, on a schedule or on demand, for supported database types hosted on Amazon Web Services, without a risk of impacting applications. You can extend this functionality to rotate other secrets, such as passwords for Oracle databases hosted on Amazon EC2 or OAuth refresh tokens, by modifying sample Lambda functions. You can also audit and monitor secrets because Secrets Manager integrates with Amazon CloudTrail, Amazon CloudWatch, and Amazon Simple Notification Service (Amazon SNS).

You can manage secrets such as database credentials, on-premises resource credentials, SaaS application credentials, third-party API keys, and Secure Shell (SSH) keys. Secrets Manager enables you to store a JSON document which allows you to manage any text blurb that is 10 Kb or smaller.

You can natively rotate credentials for Amazon Relational Database Service (RDS), Amazon DocumentDB, and Amazon Redshift. You can extend Secrets Manager to rotate other secrets, such as credentials for Oracle databases hosted on EC2 or OAuth refresh tokens, by modifying sample Amazon Lambda functions available in the Secrets Manager documentation.

First, you must write an Amazon Identity and Access Management (IAM) policy permitting your application to access specific secrets. Then, in the application source code, you can replace secrets in plain text with code to retrieve these secrets programmatically using the Secrets Manager APIs. For the complete details and examples, please see the Amazon Secrets Manager User Guide.

To get started with Amazon Secrets Manager:

Identify your secrets and locate where they are used in your applications.

Sign in to the Amazon Web Services Management Console using your Amazon credentials and navigate to the Secrets Manager console.

Use the Secrets Manager console to upload the secret you identified. Alternatively, you can use the Amazon SDK or Amazon CLI to upload a secret (once per secret). You can also write a script to upload multiple secrets.

If your secret is not in use yet, follow the instructions on the console to configure automatic rotation. If applications are using your secret, complete steps (5) and (6) before configuring automatic rotation.

If other users or applications need to retrieve the secret, write an IAM policy to grant permissions to the secret.

Update your applications to retrieve secrets from Secrets Manager.

Please visit the Amazon Web Services Region Table to see the current region availability for Amazon Web Services services.

Amazon Secrets Manager enables you to configure database credential rotation on a schedule. This enables you to follow security best practices and rotate your database credentials safely. When Secrets Manager initiates a rotation, it uses the super database credentials provided by you to create a clone user with the same privileges, but with a different password. Secrets Manager then communicates the clone user information to databases and applications retrieving the database credentials. To learn more about rotation, refer to Amazon Secrets Manager Rotation Guide.

No. Authentication happens when a connection is established. When Amazon Secrets Manager rotates a database credential, the open database connection is not re-authenticated.

You can configure Amazon CloudWatch Events to receive a notification when Amazon Secrets Manager rotates a secret. You can also see when Secrets Manager last rotated a secret using the Secrets Manager console or APIs.

Amazon Secrets Manager encrypts at rest using encryption keys that you own and store in Amazon Key Management Service (KMS). You can control access to the secret using Amazon Identity and Access Management (IAM) policies. When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment. By default, Secrets Manager does not write or cache the secret to persistent storage.

You can use Amazon Identity and Access Management (IAM) policies to control the access permissions of users and applications to retrieve or manage specific secrets. For example, you can create a policy that only enables developers to retrieve secrets used for the development environment. To learn more, visit Authentication and Access Control for Amazon Secrets Manager.

Amazon Secrets Manager uses envelope encryption (AES-256 encryption algorithm) to encrypt your secrets in Amazon Key Management Service (KMS).

When you first use Secrets Manager, you can specify the Customer Master Keys (CMKs) to encrypt secrets. If you do not provide a CMK, Secrets Manager creates Amazon KMS default keys for your account automatically. When a secret is stored, Secrets Manager requests a plaintext and an encrypted data key from KMS. Secrets Manager uses the plaintext data key to encrypt the secret in memory. Amazon Secrets Manager stores and maintains the encrypted secret and encrypted data key. When a secret is retrieved, Secrets Manager decrypts the data key (using the Amazon KMS default keys) and uses the plaintext data key to decrypt the secret. The data key is stored encrypted and is never written to disk in plaintext. Also, Secrets Manager does not write or cache the plaintext secret to persistent storage.

With Secrets Manager, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, your credit card will automatically be charged for that month’s usage. You are charged for number of secrets you store and for API requests made to the service each month.

For current pricing information, visit Amazon Secrets Manager pricing.

Yes, you can try Secrets Manager at no additional charge through the Amazon Secrets Manager 30-day free trial. The free trial enables you to rotate, manage, and retrieve secrets over the 30-day period. The free trial starts when you store your first secret.