AWS Secrets Manager
User Guide

AWS Services That Work with AWS Secrets Manager

AWS Secrets Manager works with other AWS services to provide additional solutions for your business challenges. This topic identifies services that either use Secrets Manager to add functionality, or services that Secrets Manager uses to perform its tasks.

Automating Creation of Your Secrets with AWS CloudFormation

Secrets Manager supports AWS CloudFormation and enables you to define and reference secrets from within your stack template. Secrets Manager defines several AWS CloudFormation resource types that allow you to create a secret and associate it with the service or database whose credentials are stored in it. You can refer to elements in the secret from other parts of the template, such as retrieving the user name and password from the secret when you define the master user and password in a new database. You can create and attach resource-based policies to a secret. You can also configure rotation by defining a Lambda function in your template and associating the function with your new secret as its rotation Lambda function. For more information and a comprehensive example, see Automating Secret Creation in AWS CloudFormation

Securing Your Secrets with AWS Identity and Access Management (IAM)

Secrets Manager uses IAM to secure access to its secrets. IAM provides the following:

  • Authentication – Verifies the identity of individuals who make requests. Secrets Manager has a sign-in process that uses passwords, access keys, and multi-factor authentication (MFA) tokens to prove user identity.

  • Authorization – Ensures that only approved individuals can perform operations on AWS resources, such as secrets. This enables you to grant write access to specific secrets to one user while granting read-only permissions on different secrets to another user.

For more information about how to protect access to your secrets by using IAM, see Authentication and Access Control for AWS Secrets Manager in this guide. For complete information about IAM, see the IAM User Guide.

Monitoring Your Secrets with AWS CloudTrail and Amazon CloudWatch

You can use CloudTrail and CloudWatch to montor activity that's related to your secrets. CloudTrail captures API activity for your AWS resources by any AWS service and writes it to log files in your Amazon S3 buckets. CloudWatch enables you to create rules that monitor those log files and trigger actions when activities of interest occur. For example, you can have a text message alert you whenever someone creates a new secret, or when a secret rotates successfully. You could also create an alert for when a client attempts to use a deprecated version of a secret instead of the current version. This can help with troubleshooting.

For more information, see Monitor the Use of Your AWS Secrets Manager Secrets in this guide. For complete information about CloudWatch, see the Amazon CloudWatch User Guide. For complete information about CloudWatch Events, see the Amazon CloudWatch Events User Guide.

Encrypting Your Secrets with AWS KMS

Secrets Manager uses the trusted, industry-standard Advanced Encryption Standard (AES) encryption algorithm (FIPS 197) to encrypt your secrets. It uses encryption keys provided by AWS Key Management Service (AWS KMS) to perform envelope encryption of the secret value. When you create a new version of a secret, Secrets Manager uses the specified AWS KMS customer master key (CMK) to generate a new data key. The data key is a 256-bit symmetric AES key. Secrets Manager receives both a plaintext and encrypted copy of the data key, and uses the plaintext data key to encrypt the secret value. Then Secrets Manager stores the encrypted data key in the metadata of the secret version. When you later request for Secrets Manager to retrieve the secret value, Secrets Manager first retrieves the encrypted data key from the metadata, and then requests AWS KMS to decrypt the data key using the associated CMK. Secrets Manager then uses the decrypted data key to decrypt the secret value. Secrets Manager never stores the keys in an unencrypted state, and removes the keys from memory immediately when you no longer require them.

For more information, see How AWS Secrets Manager Uses AWS KMS in the AWS Key Management Service Developer Guide.

Retrieving Your Secrets with the Parameter Store APIs

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. However, the Parameter Store doesn't provide automatic rotation services for the secrets it stores. Instead, Parameter Store enables you to store your secret in Secrets Manager, and then reference that secret as a Parameter Store parameter.

For more information, see Referencing AWS Secrets Manager Secrets from Parameter Store Parameters in the AWS Systems Manager User Guide.