What is AWS Secrets Manager?

AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. Many AWS services store and use secrets in Secrets Manager.

Secrets Manager helps you improve your security posture, because you no longer need hard-coded credentials in application source code. Storing the credentials in Secrets Manager helps avoid possible compromise by anyone who can inspect your application or the components. You replace hard-coded credentials with a runtime call to the Secrets Manager service to retrieve credentials dynamically when you need them.

With Secrets Manager, you can configure an automatic rotation schedule for your secrets. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. Since the credentials are no longer stored with the application, rotating credentials no longer requires updating your applications and deploying changes to application clients.

For other types of secrets you might have in your organization:

• AWS credentials – We recommend AWS Identity and Access Management.

• Encryption keys – We recommend AWS Key Management Service.

• SSH keys – We recommend Amazon EC2 Instance Connect.

• Private keys and certificates – We recommend AWS Certificate Manager.

Get started with Secrets Manager

If you are new to Secrets Manager, start with AWS Secrets Manager concepts or one of the following tutorials:

• Move hardcoded secrets to AWS Secrets Manager

• Move hardcoded database credentials to AWS Secrets Manager

• Set up alternating users rotation for AWS Secrets Manager

• Set up single user rotation for AWS Secrets Manager

Other tasks you can do with secrets:

• Create and manage secrets

• Control access to your secrets

• Retrieve secrets

• Rotate secrets

• Monitor secrets

• Audit secrets for compliance

• Create secrets in AWS CloudFormation

Compliance with standards

AWS Secrets Manager has undergone auditing for the multiple standards and can be part of your solution when you need to obtain compliance certification. For more information, see Compliance validation for AWS Secrets Manager.

Pricing

When you use Secrets Manager, you pay only for what you use, with no minimum or setup fees. There is no charge for secrets that are marked for deletion. For the current complete pricing list, see AWS Secrets Manager Pricing.

You can use the AWS managed key aws/secretsmanager that Secrets Manager creates to encrypt your secrets for free. If you create your own KMS keys to encrypt your secrets, AWS charges you at the current AWS KMS rate. For more information, see AWS Key Management Service Pricing.

When you turn on automatic rotation (except managed rotation), Secrets Manager uses an AWS Lambda function to rotate the secret, and you are charged for the rotation function at the current Lambda rate. For more information, see AWS Lambda Pricing.

If you enable AWS CloudTrail on your account, you can obtain logs of the API calls that Secrets Manager sends out. Secrets Manager logs all events as management events. AWS CloudTrail stores the first copy of all management events for free. However, you can incur charges for Amazon S3 for log storage and for Amazon SNS if you enable notification. Also, if you set up additional trails, the additional copies of management events can incur costs. For more information, see AWS CloudTrail pricing.

AWS services that use AWS Secrets Manager secrets

• AWS App Runner – See Referencing environment variables and Managing environment variables in the AWS App Runner Developer Guide.

• AWS App2Container – See Manage secrets for AWS App2Container in the AWS App2Container Use Guide.

• AWS AppConfig – See Creating a freeform configuration profile in the AWS AppConfig User Guide.

• Amazon AppFlow – See AWS Secrets Manager secrets managed by other AWS services.

• AWS AppSync – See Tutorial: Aurora Serverless in the AWS AppSync Developer Guide .

• Amazon Athena – See Using Amazon Athena Federated Query in the Amazon Athena User Guide.

• AWS CodeBuild – See Private registry with AWS Secrets Manager sample for CodeBuild in the AWS CodeBuild User Guide.

• AWS DataSync – See AWS Secrets Manager secrets managed by other AWS services.

• Amazon DataZone – See Create a data source for an Amazon Redshift database using a new AWS Glue connection in the Amazon DataZone User Guide.

• AWS Direct Connect – See AWS Secrets Manager secrets managed by other AWS services.

• AWS Directory Service – See Seamlessly join a Linux EC2 instance to your AWS Managed Microsoft AD directory, Seamlessly join a Linux EC2 instance to your AD Connector directory, and Seamlessly join a Linux EC2 instance to your Simple AD directory in the AWS Direct Connect User Guide.

• Amazon DocumentDB (with MongoDB compatibility) – See Create an AWS Secrets Manager database secret and Managing Amazon DocumentDB Users in the Amazon DocumentDB Developer Guide.

• AWS Elastic Beanstalk – See Docker configuration in the AWS Elastic Beanstalk Developer Guide.

• Amazon Elastic Container Service – See Tutorial: Specifying sensitive data using Secrets Manager secrets, Retrieve secrets programmatically through your application, Retrieve secrets through environment variables, Retrieve secrets for logging configuration, Tutorial: Using FSx for Windows File Server file systems with Amazon ECS, FSx for Windows File Server volumes, and Private registry authentication for tasks in the Amazon Elastic Container Service Developer Guide.

• Amazon ElastiCache – See Automatically rotating passwords for users in the Amazon ElastiCache User Guide.

• AWS Elemental Live – See How delivery from AWS Elemental Live to MediaConnect works at runtime in the Elemental Live User Guide.

• AWS Elemental MediaConnect – See Static key encryption in AWS Elemental MediaConnect in the AWS Elemental MediaConnect User Guide.

• AWS Elemental MediaConvert – See Using Kantar for audio watermarking in AWS Elemental MediaConvert outputs in the AWS Elemental MediaConvert User Guide.

• AWS Elemental MediaPackage – See Secrets Manager access for CDN authorization in the AWS Elemental MediaPackage User Guide.

• AWS Elemental MediaTailor – See Configuring AWS Secrets Manager access token authentication in the AWS Elemental MediaTailor User Guide.

• Amazon EMR running on Amazon EC2 – See Store sensitive configuration data in Secrets Manager and Add a Git-based Repository to Amazon EMR in the Amazon EMR Management Guide.

• EMR Serverless – See Secrets Manager for data protection with EMR Serverless in the Amazon EMR Serverless User Guide.

• Amazon EventBridge – See AWS Secrets Manager secrets managed by other AWS services.

• Amazon FSx – See File shares and Migrating file share configurations to Amazon FSx in the Amazon FSx for Windows File Server User Guide.

• AWS Glue DataBrew – See AWS Secrets Manager secrets managed by other AWS services.

• AWS Glue Studio – See Tutorial: Using the AWS Glue Connector for Elasticsearch in the AWS Glue Developer Guide.

• AWS IoT SiteWise – See Configuring data source authentication in the AWS IoT SiteWise User Guide.

• Amazon Kendra – See Using a database data source in the Amazon Kendra User Guide.

• Amazon Kinesis Video Streams – See Deploy the Amazon Kinesis Video Streams Edge Agent to AWS IoT Greengrass in the Amazon Kinesis Video Streams Developer Guide.

• AWS Launch Wizard – See Set up for AWS Launch Wizard for Active Directory in the AWS Launch Wizard User Guide.

• Amazon Lookout for Metrics – See Using Amazon RDS with Lookout for Metrics and Using Amazon Redshift with Lookout for Metrics in the Amazon Lookout for Metrics Developer Guide.

• Amazon Managed Grafana – See Configuring Amazon Redshift in the Amazon Managed Grafana User Guide.

• AWS Managed Services – See AWS Secrets Manager (AMS self-service provisioning) in the AMS Advanced User Guide.

• Amazon Managed Streaming for Apache Kafka – See Username and password authentication with AWS Secrets Manager in the Amazon Managed Streaming for Apache Kafka Developer Guide.

• Amazon Managed Workflows for Apache Airflow – See Configuring an Apache Airflow connection using a Secrets Manager secret and Using a secret key in AWS Secrets Manager for an Apache Airflow variable in the Amazon Managed Workflows for Apache Airflow User Guide.

• AWS Migration Hub – See Migrate SAP NetWeaver applications to AWS and Rehost applications on Amazon EC2 in the AWS Migration Hub Orchestrator User Guide.

• AWS OpsWorks for Chef Automate – See AWS Secrets Manager secrets managed by other AWS services.

• AWS Panorama – See Managing camera streams in AWS Panorama in the AWS Panorama Developer Guide.

• AWS ParallelCluster – See Integrating Active Directory in the AWS ParallelCluster User Guide.

• Amazon QuickSight – See Using AWS Secrets Manager secrets in place of database credentials in Amazon QuickSight in the Amazon QuickSight User Guide.

• Amazon RDS – See AWS Secrets Manager secrets managed by other AWS services.

• Amazon Redshift – See Create an AWS Secrets Manager database secret, Storing database credentials in AWS Secrets Manager, Using the Amazon Redshift Data API, and Querying a database using the query editor in the Amazon Redshift Management Guide.

• Amazon Redshift query editor v2 – See AWS Secrets Manager secrets managed by other AWS services.

• Amazon SageMaker – See Associate Git Repositories with Amazon SageMaker Notebook Instances, Import data from Databricks (JDBC), and Import data from Snowflake in the Amazon SageMaker Developer Guide.

• AWS Schema Conversion Tool – See Using AWS Secrets Manager in the AWS SCT user interface in the AWS Schema Conversion Tool User Guide.

• AWS Toolkit for JetBrains – See Accessing Amazon Redshift clusters in the AWS Toolkit for JetBrains User Guide.

• AWS Transfer Family – See Basic authentication for AS2 connectors, Working with custom identity providers, and Generate and manage PGP keys in the AWS Transfer Family User Guide.

• AWS Wickr – See Start the data retention bot in the AWS Wickr Administration Guide.