Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Prevent AWS Secrets Manager replication

Focus mode
Prevent AWS Secrets Manager replication - AWS Secrets Manager

Because secrets can be replicated using ReplicateSecretToRegions or when they are created using CreateSecret, if you want to prevent users from replicating secrets, we recommend you prevent actions that contain the AddReplicaRegions parameter. You can use a Condition statement in your permission policies to only allow actions that don't add replica regions. See the following policy examples for Condition statements you can use.

Example Prevent replication permission

The following policy example shows how to allow all actions that don't add replica regions. This prevents users from replicating secrets through both ReplicateSecretToRegions and CreateSecret.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:*", "Resource": "*", "Condition": { "Null": { "secretsmanager:AddReplicaRegions": "true" } } } ] }
Example Allow replication permission only to specific Regions

The following policy shows how to allow all of the following:

  • Create secrets without replication

  • Create secrets with replication to Regions only in United States and Canada

  • Replicate secrets to Regions only in United States and Canada

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:ReplicateSecretToRegions" ], "Resource": "*", "Condition": { "ForAllValues:StringLike": { "secretsmanager:AddReplicaRegions": [ "us-*", "ca-*" ] } } } ] }
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.