Manage the secrets lifecycle centrally using AWS Secrets Manager.
What is AWS Secrets Manager?
OAuth tokens, API keys, database credentials, application credentials, and other secrets may all be managed, retrieved, and rotated with the aid of AWS Secrets Manager. Many AWS services store and use secrets using Secrets Manager.
Secrets Manager improves your security posture by removing the requirement for hard-coded credentials in application source code. If you save your credentials in Secrets Manager, anyone who can look at your program or its components could potentially compromise it. A runtime call to the Secrets Manager service lets you dynamically retrieve credentials when needed, replacing hard-coded credentials.
Secrets Manager allows you to create an automatic secret rotation schedule. This greatly lowers the chance of compromise by allowing you to swap out long-term secrets for short-term ones. Rotating credentials no longer necessitates upgrading your apps and sending modifications to application clients because the credentials are no longer kept with the application.
Advantages
- Centrally audit and securely encrypt secrets.
- Control who has access to secrets.
- Rotate secrets on their own.
- To help with catastrophe recovery plans, replicate secrets.
Use cases
Keep secrets safe
Manage and keep credentials, API keys, and other secrets in one place.
Use fine-grained policies to control access
To control who may access your secrets, use AWS Identity and Access Management (IAM) permissions policies.
Rotate secrets automatically
Without redeploying or interfering with running applications, rotate secrets on demand or according to a schedule.
Audit and track the use of secrets
Connect secrets to AWS’s notification, logging, and monitoring services.
Features of AWS Secrets Manager
Safekeeping of secrets
Using encryption keys that you hold and keep in AWS Key Management Service (AWS KMS), AWS Secrets Manager encrypts secrets while they are at rest.
- Secrets Manager decrypts the secret when you retrieve it and sends it safely over TLS to your local environment.
- Using resource-based and fine-grained IAM policies, Secrets Manager connects with AWS Identity and Access Management (IAM) to manage access to the secret.
Rotating secrets automatically without interfering with applications
Using the Secrets Manager console, AWS SDK, or AWS CLI, you may use AWS Secrets Manager to rotate secrets on a schedule or as needed.
- Rotating credentials for databases housed on Amazon RDS and Amazon DocumentDB as well as clusters hosted on Amazon Redshift are natively supported by Secrets Manager.
- By altering sample Lambda functions, you can expand Secrets Manager to rotate secrets used with other AWS or 3P services.
Secrets are automatically replicated to several AWS regions
To satisfy your specific disaster recovery and cross-regional redundancy needs, you can use AWS Secrets Manager to automatically replicate your secrets to many AWS Regions. There is no need to maintain a complicated solution for this capability; simply specify which AWS regions a secret needs to be replicated to, and Secrets Manager will safely generate regional read replicas. You can trust Secrets Manager to maintain the replicas in sync with the primary secret while granting your multi-Region apps access to replicated secrets in the necessary Regions.
Secret retrieval via programming
When developing your applications, keep hidden security in mind.
- Code samples for calling Secrets Manager APIs from popular programming languages are provided by Secrets Manager. Two categories of APIs are available for retrieving secrets:
- By name or ARN, retrieve a single secret.
- Provide a list of names or ARNs, or filter criteria like tags, to retrieve a collection of secrets.
- Set up Amazon Virtual Private Cloud (VPC) endpoints so that communications between Secrets Manager and your VPC remain inside the AWS network.
- Additionally, Secrets Manager client-side caching libraries can be used to decrease latency and increase availability while retrieving secrets.
Audit and track the use of secrets
By integrating with AWS logging, monitoring, and notification services, AWS Secrets Manager lets you audit and keep an eye on secrets. For instance, you can inspect AWS CloudTrail logs to audit when a secret is produced or rotated once AWS CloudTrail has been enabled for an AWS Region. Likewise, you can set up Amazon CloudWatch Events to get push alerts when Secrets Manager rotates your secrets, or you can set up Amazon CloudWatch to get email notifications using Amazon Simple Notification Service when secrets aren’t utilized for a while.
Compliance
AWS Secrets Manager can be used to satisfy compliance standards.
- Use AWS Config Rules to guarantee your secrets meet enterprise security and compliance standards.
- The Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, IL4, and IL5), FedRAMP, HIPAA, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, and the Payment Card Industry Data Security Standard
Integration of Secrets Manager
Secrets Manager integrates with AWS services to safely handle your login credentials. You can safely swap login credentials with different AWS services thanks to these integrations. Either customer-managed or AWS-managed KMS keys are used to encrypt the credentials kept in Secrets Manager. To maintain a high level of security, Secrets Manager rotates secrets on a regular basis. You will be able to supply an AWS service with the ARN of a secret rather than a plain text credential once your secrets are stored with Secrets Manager.
