Encryption best practices for AWS Secrets Manager
AWS Secrets Manager helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. Secrets Manager integrates with AWS KMS to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects stored secrets with encryption keys that never leave AWS KMS unencrypted. You can also define custom permissions on the KMS key to audit the operations that generate, encrypt, and decrypt the data keys that protect stored secrets. For more information, see Secret encryption and decryption in AWS Secrets Manager.
Consider the following encryption best practices for this service:
-
For most cases, we recommend using the
aws/secretsmanager
AWS managed key to encrypt secrets. There is no cost for using it. -
To be able to access a secret from another account or to apply a key policy to the encryption key, use a customer managed key to encrypt the secret.
-
In the key policy, assign the value
secretsmanager.<region>.amazonaws.com
to the kms:ViaService condition key. This limits use of the key to only requests from Secrets Manager. -
To further limit use of the key to only requests from Secrets Manager with the correct context, use keys or values in the Secrets Manager encryption context as a condition for using the KMS key by creating:
-
A string condition operator in an IAM policy or key policy
-
A grant constraint in a grant
-
-