Log entries for Secrets Manager operations Log entries for deletion Log entries for replication Log entries for rotation

AWS CloudTrail entries for Secrets Manager

AWS Secrets Manager writes entries to your AWS CloudTrail log for all Secrets Manager operations and for other events related to rotation and deletion. For information about taking action on these events, see Match Secrets Manager events with EventBridge.

Log entry types

Log entries for Secrets Manager operations
Log entries for deletion
Log entries for replication
Log entries for rotation

Log entries for Secrets Manager operations

Events that are generated by calls to Secrets Manager operations have "detail-type": ["AWS API Call via CloudTrail"].

Note

Before February 2024, some Secrets Manager operations reported events that contained "aRN" instead of "arn" for the secret ARN. For more information, see AWS re:Post.

The following are CloudTrail entries generated when you or a service call Secrets Manager operations through the API, SDK, or CLI.

BatchGetSecretValue: Generated by the BatchGetSecretValue operation. For information about retrieving secrets, see Get secrets from AWS Secrets Manager.
CancelRotateSecret: Generated by the CancelRotateSecret operation. For information about rotation, see Rotate AWS Secrets Manager secrets.
CreateSecret: Generated by the CreateSecret operation. For information about creating secrets, see Create and manage secrets with AWS Secrets Manager.
DeleteResourcePolicy: Generated by the DeleteResourcePolicy operation. For information about permissions, see Authentication and access control for AWS Secrets Manager.
DeleteSecret: Generated by the DeleteSecret operation. For information about deleting secrets, see Delete an AWS Secrets Manager secret.
DescribeSecret: Generated by the DescribeSecret operation.
GetRandomPassword: Generated by the GetRandomPassword operation.
GetResourcePolicy: Generated by the GetResourcePolicy operation. For information about permissions, see Authentication and access control for AWS Secrets Manager.
GetSecretValue: Generated by the GetSecretValue and BatchGetSecretValue operations. For information about retrieving secrets, see Get secrets from AWS Secrets Manager.
ListSecrets: Generated by the ListSecrets operation. For information about listing secrets, see Find secrets in AWS Secrets Manager.
ListSecretVersionIds: Generated by the ListSecretVersionIds operation.
PutResourcePolicy: Generated by the PutResourcePolicy operation. For information about permissions, see Authentication and access control for AWS Secrets Manager.
PutSecretValue: Generated by the PutSecretValue operation. For information about updating a secret, see Modify an AWS Secrets Manager secret.
RemoveRegionsFromReplication: Generated by the RemoveRegionsFromReplication operation. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.
ReplicateSecretToRegions: Generated by the ReplicateSecretToRegions operation. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.
RestoreSecret: Generated by the RestoreSecret operation. For information about restoring a deleted secret, see Restore an AWS Secrets Manager secret.
RotateSecret: Generated by the RotateSecret operation. For information about rotation, see Rotate AWS Secrets Manager secrets.
StopReplicationToReplica: Generated by the StopReplicationToReplica operation. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.
TagResource: Generated by the TagResource operation. For information about tagging a secret, see Tag AWS Secrets Manager secrets.
UntagResource: Generated by the UntagResource operation. For information about untagging a secret, see Tag AWS Secrets Manager secrets.
UpdateSecret: Generated by the UpdateSecret operation. For information about updating a secret, see Modify an AWS Secrets Manager secret.
UpdateSecretVersionStage: Generated by the UpdateSecretVersionStage operation. For information about version stages, see Secret versions.
ValidateResourcePolicy: Generated by the ValidateResourcePolicy operation. For information about permissions, see Authentication and access control for AWS Secrets Manager.

Log entries for deletion

In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to deletion. These events have "detail-type": ["AWS Service Event via CloudTrail"].

CancelSecretVersionDelete: Generated by the Secrets Manager service. If you call DeleteSecret on a secret that has versions, and then later call RestoreSecret, Secrets Manager logs this event for each secret version that was restored. For information about restoring a deleted secret, see Restore an AWS Secrets Manager secret.
EndSecretVersionDelete: Generated by the Secrets Manager service when a secret version is deleted. For more information, see Delete an AWS Secrets Manager secret.
StartSecretVersionDelete: Generated by the Secrets Manager service when Secrets Manager starts deletion for a secret version. For information about deleting secrets, see Delete an AWS Secrets Manager secret.
SecretVersionDeletion: Generated by the Secrets Manager service when Secrets Manager deletes a deprecated secret version. For more information, see Secret versions.

Log entries for replication

In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to replication. These events have "detail-type": ["AWS Service Event via CloudTrail"].

ReplicationFailed: Generated by the Secrets Manager service when replication fails. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.
ReplicationStarted: Generated by the Secrets Manager service when Secrets Manager starts replicating a secret. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.
ReplicationSucceeded: Generated by the Secrets Manager service when a secret is successfully replicated. For information about replicating a secret, see Replicate AWS Secrets Manager secrets across Regions.

Log entries for rotation

In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to rotation. These events have "detail-type": ["AWS Service Event via CloudTrail"].

RotationStarted: Generated by the Secrets Manager service when Secrets Manager starts rotating a secret. For information about rotation, see Rotate AWS Secrets Manager secrets.
RotationAbandoned: Generated by the Secrets Manager service when Secrets Manager abandons a rotation attempt and removes the AWSPENDING label from an existing version of a secret. Secrets Manager abandons rotation when you create a new version of a secret during rotation. For information about rotation, see Rotate AWS Secrets Manager secrets.
RotationFailed: Generated by the Secrets Manager service when rotation fails. For information about rotation, see Troubleshoot AWS Secrets Manager rotation.
RotationSucceeded: Generated by the Secrets Manager service when a secret is successfully rotated. For information about rotation, see Rotate AWS Secrets Manager secrets.
TestRotationStarted: Generated by the Secrets Manager service when Secrets Manager starts testing rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see Rotate AWS Secrets Manager secrets.
TestRotationSucceeded: Generated by the Secrets Manager service when Secrets Manager successfully tests rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see Rotate AWS Secrets Manager secrets.
TestRotationFailed: Generated by the Secrets Manager service when Secrets Manager tests rotation for a secret that is not scheduled for immediate rotation and rotation failed. For information about rotation, see Troubleshoot AWS Secrets Manager rotation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Log with AWS CloudTrail

Monitor with CloudWatch