AWS Secrets Manager secrets managed by other AWS services
Many AWS services store and use secrets in AWS Secrets Manager. In some cases, these secrets are managed secrets, which means that the service that created them helps manage them. For example, some managed secrets include managed rotation, so you don't have to configure rotation yourself. The managing service might also restrict you from updating secrets or deleting them without a recovery period, which helps prevent outages because the managing service depends on the secret.
Managed secrets use a naming convention that includes the managing service ID to help identify them.
Secret name: ServiceID!MySecret Secret ARN : arn:aws:us-east-1:ServiceID!MySecret-a1b2c3
IDs for services that manage secrets
appflow– Amazon AppFlowdatabrew– AWS Glue DataBrewdatasync– AWS DataSyncdirectconnect– AWS Direct Connectevents– Amazon EventBridgemarketplace-deployment– AWS Marketplaceopsworks-cm– AWS OpsWorks for Chef Automaterds– Amazon RDS and Auroraredshift– Amazon Redshiftsqlworkbench– Amazon Redshift query editor v2
To find secrets that are managed by other AWS services, see Find managed secrets.
Amazon AppFlow
In Amazon AppFlow, when you configure an SaaS application as a source or destination, you
create a connection. This includes information required for connecting to the SaaS
applications, such as authentication tokens, user names, and passwords. Amazon AppFlow stores your
connection data in a Secrets Manager managed secret with the prefix appflow. The cost of storing
the secret is included with the charge for Amazon AppFlow. For more information, see Data protection in Amazon AppFlow in the Amazon AppFlow User Guide.
AWS Glue DataBrew
AWS Glue DataBrew provides the DETERMINISTIC_DECRYPT, DETERMINISTIC_ENCRYPT, and CRYPTOGRAPHIC_HASH recipe steps to perform transformations on personally
identifiable information (PII) in a dataset, which use an encryption key stored in a Secrets Manager
secret. If you use the DataBrew default secret to store the encryption key,
DataBrew creates a managed secret with the prefix databrew. The cost of storing the secret
is included with the charge for using DataBrew.
AWS DataSync
To collect information about an on-premises storage system, AWS DataSync Discovery uses the credentials for the storage system's management interface. DataSync stores those credentials in a Secrets Manager managed secret with the prefix datasync. You are charged for that secret. For more information, see Adding your on-premises storage system to DataSync Discovery in the AWS DataSync User Guide.
AWS Direct Connect
AWS Direct Connect stores a connectivity association key name and connectivity association key pair
(CKN/CAK pair) in a managed secret with the prefix directconnect. The cost of the secret
is included with the charge for AWS Direct Connect. To update the secret, you must use AWS Direct Connect rather
than Secrets Manager. For more information, see Associate a MACsec CKN/CAK with
a LAG in the AWS Direct Connect User Guide.
Amazon EventBridge
When you create an Amazon EventBridge API destination, EventBridge stores the connection for it
in a Secrets Manager managed secret with the prefix events. The cost of storing the secret is
included with the charge for using an API destination. To update the secret, you must use EventBridge
rather than Secrets Manager. For more information, see API destinations in the
Amazon EventBridge User Guide.
AWS Marketplace
When you use AWS Marketplace Quick Launch, AWS Marketplace distributes your software along with the license key. AWS Marketplace stores the license key in your account as a Secrets Manager managed secret. The cost of storing the secret is included with the charges for AWS Marketplace. To update the secret, you must use AWS Marketplace rather than Secrets Manager. For more information, see Configure Quick Launch in the AWS Marketplace Seller Guide.
AWS OpsWorks for Chef Automate
When you create a new server in AWS OpsWorks CM, OpsWorks CM stores information for the server in
a Secrets Manager managed secret with the prefix opsworks-cm. The cost of the secret is included in
the charge for AWS OpsWorks. For more information, see Integration with AWS Secrets Manager in the AWS OpsWorks User Guide.
Amazon RDS and Aurora
To manage master user credentials for Amazon Relational Database Service (Amazon RDS), including Aurora, Amazon RDS can create a managed secret for you. You are charged for that secret. Amazon RDS also manages rotation for these credentials. For more information, see Password management with Amazon RDS and AWS Secrets Manager in the Amazon RDS User Guide and Password management with Amazon Aurora and AWS Secrets Manager in the Amazon Aurora User Guide.
For other Amazon RDS credentials, see Create an AWS Secrets Manager database secret.
Amazon Redshift
To manage admin credentials for Amazon Redshift, Amazon Redshift can create a managed secret for you. You are charged for that secret. Amazon Redshift also manages rotation for these credentials. For more information, see Managing Amazon Redshift admin passwords using AWS Secrets Manager in the Amazon Redshift Management Guide.
For other Amazon Redshift credentials, see Create an AWS Secrets Manager database secret. To use a secret for credentials when you call the Data API, see Using the Amazon Redshift Data API. To use a secret when you use the Amazon Redshift query editor to connect to a database, see Querying a database using the query editor in the Amazon Redshift Management Guide and Amazon Redshift query editor v2.
Amazon Redshift query editor v2
When you use the Amazon Redshift query editor v2 to
connect to a database, Amazon Redshift can store your credentials in a Secrets Manager managed secret with the prefix
sqlworkbench. The cost of storing the secret is included with the charge for
using Amazon Redshift. To update the secret, you must use Amazon Redshift rather than Secrets Manager. For more information,
see Working
with query editor v2 in the Amazon Redshift Management Guide.
