The Complete 2023 Guide to AWS Secrets Manager

Every organization has secrets – from database passwords and API keys to encryption tokens and SSH keys. Safeguarding these secrets is now a top priority in today‘s data-driven world. Especially as threats from both external attackers and malicious insiders continue rising at an alarming rate:

  • Data breaches grew 68% in 2022, exposing over 23 billion records.
  • 95% of cybersecurity incidents involve human error like hardcoded secrets in code or config files.
  • Compromised secrets remain the root cause for a staggering 80% of data breaches.

These stats highlight why a dedicated secrets management strategy is now imperative for security teams. But building custom encryption and access controls is complex, costly, and still leaves gaps.

This is where AWS Secrets Manager comes in…

What is AWS Secrets Manager?

AWS Secrets Manager provides a fully-managed service to securely store, distribute, and audit access to tokens, passwords, API keys, and other secrets. Instead of reinventing the wheel, you can leverage Secrets Manager‘s baked-in capabilities like:

✅ Military-grade encryption using KMS

✅ Fine-grained access policies and multi-factor authentication

✅ Automated secret rotation on a custom schedule

✅ Native integrations with RDS, Redshift, Lambda, EKS and more

✅ Detailed monitoring and audit trails

✅ Achieve compliance requirements like HIPAA, PCI DSS out-of-the-box

With Secrets Manager, you no longer need to hardcode secrets in apps or IT resources. Instead applications authenticate via Secrets Manager to retrieve secrets at runtime. This reduces your attack surface and enables easier lifecycle management as secrets naturally evolve.

Key users of Secrets Manager span banking, insurance, healthcare, retail, and technology – essentially any regulated industry dealing with sensitive data. Its ability to offload undifferentiated security infrastructure makes Secrets Manager hugely compelling both for security and for developer velocity.

In this comprehensive guide, we‘ll cover:

  • Capabilities – Encryption, access control, rotation, audit features
  • Integrations – Using Secrets Manager with other AWS services
  • Use Cases – Common ways orgs leverage Secrets Manager
  • Best Practices – Ensuring security, compliance, and governance
  • Pricing – Cost model and optimization techniques

Let‘s get started!

AWS Secrets Manager Capabilities

Secrets Manager provides a Swiss Army knife of integrated capabilities purpose-built for secrets management lifecycles:

Secrets Manager architecture

Secret Storage and Management

The base foundation of Secrets Manager is securely storing secrets and making them easily consumable to authorized entities. Developers simply reference secrets via API instead of hardcoding credentials.

It offers simple APIs and tools to:

  • Create, update, retrieve secrets
  • Control permissions to specific secrets
  • Reference secrets from apps, Lambda functions, containers
  • Replicate secrets across AWS regions
  • Search catalog of existing secrets

Secrets can be up to 10KB – ample room for credentials, certificates, encryption keys etc.

Encryption and Access Controls

Secrets Manager provides defense-in-depth via multiple security safeguards:


All secrets are encrypted at rest via KMS keys. You can choose default Secrets Manager keys or custom KMS keys for added control. Encryption secures secrets throughout their lifecycle.

Access Control

Granular IAM, resource, and session policies control all access to secrets. For example, Developer roles may only view certain secrets while Admin roles can rotate them. MFA provides additional verification.

Secret Permissions

By default new secrets inherit their creator‘s permissions. You can optionally define inline resource policies to override this allowing cross-account secret access.

Separation of Duties

Special purpose rotation Lambda functions run with minimal privileges. They can rotate but not view secret contents.

Combined, these mechanisms ensure secrets stay protected.

Secret Rotation

Manually tracking passwords and keys is difficult. Secrets Manager offers fully automated rotation to simplify lifecycle management.

Secret Rotation

Here‘s an overview:

✅ Set rotation schedule (30, 60, or 90 days)

✅ Special Lambda rotates secret on schedule

✅ New secret version deployed with staging label

✅ Backend validation via test connectivity

✅ Rotate staging label to AWSCURRENT on success

✅ Previous secret still available as AWSPREVIOUS

This hands-free approach reduces risk from stale secrets. You also meet compliance mandates requiring periodic rotation.

Secret Monitoring

Understanding exactly how secrets are accessed instills trust. Secrets Manager delivers complete visibility leveraging other AWS services:

CloudTrail logs all console and API access to secrets. Detailed event history for compliance.

CloudWatch creates alarms on secret deletion, rotation events etc.

EventBridge streams secret access events to other tools like Splunk or PagerDuty.

Dashboards, alerts, and audit trails provide 24/7 visibility into secret usage.

Integrations with Other AWS Services

Secrets Manager integrates natively with over 60 other AWS services simplifying secrets management for apps hosted on AWS.

Secrets Manager Integrations

Some examples include:

Amazon RDS and Aurora

Securely rotate database credentials and easily manage permissions for apps to retrieve connections strings from Secrets Manager instead of hardcoding in config files.

AWS Lambda

Serverless applications running on Lambda can authenticate to backend systems using temporary credentials from Secrets Manager without embedding any long-term secrets in function code.

Amazon ECS and EKS

Launch Docker containers with secrets from Secrets Manager using task roles and IAM policies. Eliminate secrets sprawl across fleets of containers.

AWS DataSync

Simple mechanism to replicate large datasets across accounts without exposing credentials across accounts.

The list continues with Amazon Redshift, SageMaker, CodeBuild and more. Deep integration with AWS environments makes adoption seamless.

Now let‘s look at some real-world examples and use cases.

Common Use Cases

Virtually every modern application deals with secrets – whether for authenticating to databases or APIs, launching microservices, managing SSH keys etc.

Here are some typical use cases we see customers adopting Secrets Manager for:

Database Credentials Management

Safely store RDS passwords, Redshift creds etc and setup automated rotation on 30/60/90 day intervals. Applications authenticate via Secrets Manager instead of hardcoded credentials.

API Keys for External Services

Manage and rotate API keys used to invoke AWS services (KMS, SQS), B2B APIs (Stripe, Twilio) or SaaS applications without embedding secrets in code.

SSH Keys for Server Fleet Access

Centrally manage, rotate, and audit SSH keys for fleets of EC2 instances. No more SSH sprawl.

Service Tokens for Microservices

Microservices use signed JWT tokens to authenticate requests between services. Secrets Manager provides for secure token generation/validation.

Lambda Access to Resources

Serverless applications use temporary creds from Secrets Manager to access resources like databases, avoiding embedding permanent keys in function code.

CI/CD Pipeline Credentials

Inject credentials into build/deploy pipelines via Secrets Manager rather than managing credentials directly in Jenkins, GitHub Actions etc.

We consistently see these as the most common scenarios. But nearly any secret can benefit from the security, lifecycle management, and governance of Secrets Manager.

Now let‘s shift gears to best practices.

Best Practices for Secrets Management

While capabilities like encryption and rotation provide strong security controls – people, process, and platform factors also heavily influence your risk exposure.

Here are critical best practices that holistically improve secrets management:

Align to a Zero Trust Model

Treat all secrets requests – whether from users, workloads, or configurations – as untrusted by default. Strictly verify identity, authorize access, and encrypt in transit/at rest via microsegmentation, fine-grained policies and MFA.

Apply Principle of Least Privilege

Segment access to only necessary secrets via IAM or resource policies instead of overprovisioning permissions to roles or groups.

Enforce Separation of Duties

Segregate privileges between Security/DevOps teams to embed checks and balances. Limit access to KMS keys or rotation functions.

Implement Consistent Secret Tagging Standards

Logically organize secrets by tagging with attributes like owning application, environment (dev/prod), severity level etc. Ensure discoverability and lifecycle oversight.

Mandate Audit Logging and Alerting

Centrally collect CloudTrail/CloudWatch logs for user access, secret rotation etc. Alert on anomalies and feed logs to analytics tools.

Perform Proactive Secret Hygiene Checks

Script audits to validate secrets meet naming standards, correct KMS encryption, and appropriate rotation schedules. Fail early instead of during audit.

Building a disciplined secrets management program significantly reduces risk far beyond just using Secrets Manager features. Prioritizing people, process and technology moves you closer to a "secure by default" posture.

Up next we‘ll explore how Secrets Manager aids compliance and audit support.

Secrets Manager for Monitoring, Audit, and Compliance

Maintaining compliance with regulations like HIPAA, PCI DSS, and SOC2 requires controlling access to regulated data and providing detailed audit trails.

By centralizing storage, lifecycle management, and access policies for secrets, Secrets Manager inherently helps organizations meet strict compliance controls such as:

Compliance Standards

Encryption to Safeguard Regulated Data

KHMS keys encrypt all secrets throughout their lifecycle per encryption requirements in frameworks like SOC2, ISO27001, and PCI DSS.

Access Control and Least Privilege

Granular IAM policies restrict access to only necessary personnel based on role. Critical for data protection regulations.

Change Monitoring and Event Notification

CloudTrail, EventBridge, and CloudWatch provide alerts on secret changes so issues can be swiftly investigated.

Audit Trails and Reporting

CloudTrail logs detail who accessed what secrets and when across all AWS regions for historical audit and analysis.

Standards Validation

Configure AWS Config rules to continually validate secrets meet naming, tagging, rotation, and encryption standards.

Investing in secrets management and governance upfront saves tremendous pain later during audit prep and remediation. It also helps instill customer trust that their data is responsibly managed.

Pricing and Cost Optimization

AWS Secrets Manager pricing follows a pay-per-secret model based on monthly active secrets:

Tier Monthly Active Secrets Price Per Secret
0-10 secrets $0.40
11-100 secrets $0.30
101-250 secrets $0.27
251-500 secrets $0.24
500+ secrets Custom Pricing

So for example 50 active secrets would incur a monthly charge of $15 (50 * $0.30).

You only pay for secrets you actively use vs. total stored secrets. As your usage grows, volume discounts kick in.

Here are some best practices to optimize spend:

  • Use resource tags to right-size instances and scale down unused capacity
  • Set up CloudWatch alarms for spend thresholds
  • Leverage AWS Budgets to plan costs and receive alerts
  • Utilize Cost Explorer to visualize spend trends and identify opportunities to reduce usage

While Secrets Manager requires additional infrastructure, the security and engineer productivity benefits easily warrant the incremental costs.

The Future of Secrets Management

Safeguarding secrets only grows more critical as applications become increasingly dynamic and distributed into hybrid environments spanning multiple public clouds and private data centers.

Some innovations I expect to see in secrets management include:

Embedded Secrets Protection – Compile-time and runtime protections to prevent hardcoded secrets in modern tech stacks like Kubernetes, serverless and containers.

Dynamic Secret Generation – On-demand ephemeral secrets tailored to the exact needs of short-lived functions and workloads.

Cross-Platform Abstraction – Unified secrets API spanning across AWS, Azure, GCP and on-prem Key Management Systems.

GitOps Integration – Native secrets management tightly integrated into developer Git workflows and CI/CD pipelines.

Risk-Adaptive Controls – Dynamic secret permissions and rotation frequency adjusted based on AI assessment of access patterns and threat exposure.

While AWS Secrets Manager delivers robust capabilities today, I anticipate even more advanced functionality arriving soon to keep simplifying secrets management in the future as part of a defense-in-depth strategy.

Key Takeaways

Here are my biggest recommendations regarding AWS Secrets Manager:

Adopt Secrets Manager to increase security and reduce risk of compromised credentials or keys. The automation frees up cycles previously spent on homegrown encryption and rotation.

Apply least privilege controls via IAM or resource policies instead of overprovisioning access or using one master key.

Enable rotation consistently across all eligible secrets to reduce exposure of stale credentials.

Layer in monitoring and audit trails via CloudWatch and CloudTrail to detect anomalous secret access attempts early.

Operationalize secret hygiene checks on an ongoing basis to validate secrets meet security standards, tagging conventions etc proactively instead of waiting for audit findings.

Right size secret storage by deprovisioning unused secrets. Referring fewer total secrets reduces costs.

Prioritizing secrets management lifts an enormous burden off security and developer teams. AWS Secrets Manager capably handles the undifferentiated heavy lifting to secure secrets while providing clean abstraction and governance.

What approaches have you found effective for managing secrets? Are there additional capabilities or integrations you‘d like to see in Secrets Manager? I welcome your thoughts and feedback below!