Definition: AWS service for securely managing, rotating, and retrieving credentials, API keys, and other secrets required by applications.
— Source: NERVICO, Product Development Consultancy
What Is AWS Secrets Manager
AWS Secrets Manager is a service that centralizes the management of secrets such as database credentials, API keys, access tokens, and certificates. It eliminates the need to store secrets in source code or configuration files, providing a secure store with encryption, granular access control, and automatic rotation.
How It Works
Secrets are stored encrypted with AWS KMS keys and retrieved at runtime through API calls or native integrations with AWS services. Secrets Manager can automatically rotate database credentials for RDS, Redshift, and DocumentDB using predefined Lambda functions. IAM policies control which applications and roles can access each secret, and CloudTrail records all access for auditing.
Key Use Cases
- Secure storage of database credentials with periodic automatic rotation
- Centralized management of external service API keys in distributed applications
- Injection of secrets into ECS containers and Lambda functions without exposing them in environment variables
- Compliance with security regulations requiring periodic credential rotation
Advantages and Considerations
Secrets Manager significantly reduces the risk of credential exposure and simplifies compliance with security policies. Automatic rotation eliminates manual credential management, a frequent source of errors and vulnerabilities. Cost is based on the number of stored secrets and API calls, which can be relevant in applications with high secret query volume.