Encryption best practices for AWS Secrets Manager

AWS Secrets Manager helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. Secrets Manager integrates with AWS KMS to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects stored secrets with encryption keys that never leave AWS KMS unencrypted. You can also define custom permissions on the KMS key to audit the operations that generate, encrypt, and decrypt the data keys that protect stored secrets. For more information, see Secret encryption and decryption in AWS Secrets Manager.

Consider the following encryption best practices for this service:

For most cases, we recommend using the aws/secretsmanager AWS managed key to encrypt secrets. There is no cost for using it.
To be able to access a secret from another account or to apply a key policy to the encryption key, use a customer managed key to encrypt the secret.
- In the key policy, assign the value secretsmanager.<region>.amazonaws.com to the kms:ViaService condition key. This limits use of the key to only requests from Secrets Manager.
- To further limit use of the key to only requests from Secrets Manager with the correct context, use keys or values in the Secrets Manager encryption context as a condition for using the KMS key by creating:
  - A string condition operator in an IAM policy or key policy
  - A grant constraint in a grant

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon RDS

Amazon S3