Using Secrets Manager and Terraform

AWS Secrets Manager

AWS Secrets Manager is a service for securely encrypting, storing, and rotating credentials for databases and other services. It helps you replace hardcoded credentials in your code, including passwords, with an API call to retrieve the secret programmatically. In Secrets Manager, a secret consists of credentials information (which is the secret value) and its metadata. The secret value can be binary, a single string, or multiple strings. For more information, see Secret.

Secrets Manager uses 256-bit Advanced Encryption Standard (AES) symmetric data keys to encrypt secret values. For more information, see Secret encryption and decryption in AWS Secrets Manager.

You can access and work with Secrets Manager by using any of the following approaches:

Secrets Manager console
Command line tools
AWS SDKs
HTTPS Query API, also called the Secrets Manager API
AWS Secrets Manager endpoints

Terraform

Terraform is an IaC tool from HashiCorp that helps you create and manage cloud and on-premises resources. You can use Terraform to deploy resources and infrastructure in the AWS Cloud.

Terraform stores information about your managed AWS infrastructure and its configurations. This information is called the state. By default, the state is stored in a local file named Terraform.tfstate. This file is in JSON format, and Terraform might store sensitive data in this state file in plain text. This poses a risk to the sensitive data because any user with access to the state file can access the sensitive data.

This guide provides best practices and recommendations to help you protect sensitive data when using Terraform to manage your AWS resources.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Introduction

Best practices