Select the encryption key - AWS Secrets Manager

Select the encryption key

Your secret information is encrypted using encryption keys that you can manage by using AWS KMS. You can encrypt by using the default service encryption key that Secrets Manager creates on your behalf. Alternatively, you can encrypt by using a customer master key (CMK) that you create in AWS KMS.

If you use a custom CMK, then the IAM user or role that needs to read the secret later must have the permission “kms:Decrypt” for that KMS CMK.

You’re not billed for using the default encryption key that Secrets Manager creates for you. You’re billed only for your use of CMKs that you create.