AWS Secrets Manager Features

AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (AWS KMS). 

• When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment.
• Secrets Manager integrates with AWS Identity and Access Management (IAM) to control access to the secret using fine-grained IAM policies and resource-based policies.

With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. 

• Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift.
  
• You can extend Secrets Manager to rotate secrets used with other AWS or 3P services by modifying sample Lambda functions.

With AWS Secrets Manager, you can automatically replicate your secrets to multiple AWS Regions to meet your unique disaster recovery and cross-regional redundancy requirements. Specify the AWS Regions where a secret needs to be replicated and Secrets Manager will securely create regional read replicas, eliminating the need to maintain a complex solution for this functionality. You can give your multi-Region applications access to replicated secrets in the required Regions and rely on Secrets Manager to keep the replicas in sync with the primary secret.

Build your applications with security of secrets top of mind.

• Secrets Manager provides code samples to call Secrets Manager APIs from common programming languages. There are two types of APIs to retrieve secrets:
  • Retrieve a single secret by name or ARN.
  • Retrieve a group of secrets by providing a list of names or ARNs, or filter criteria such as tags.
• Configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network.
• You can also use Secrets Manager client-side caching libraries to improve availability and reduce latency during secrets retrieval.

AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS Region, you can audit when a secret is created or rotated by viewing AWS CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.

You can use AWS Secrets Manager to meet compliance requirements.

• Use AWS Config Rules to help you verify that your secrets are configured in accordance with your organization’s security and compliance requirements.
• Manage secrets for workloads that are subject to Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG IL2, DoD CC SRG IL4, and DoD CC SRG IL5), Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), Outsourced Service Provider’s Audit Report (OSPAR), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO 9001, Payment Card Industry Data Security Standard (PCI-DSS), or System and Organization Control (SOC).
• View details of AWS’s compliance program and report in AWS Artifact.

AWS services integrate with Secrets Manager to securely manage your credentials. These integrations help you securely exchange credentials with various AWS services. The credentials stored in Secrets Manager are encrypted either using AWS managed KMS keys or customer managed keys. Secrets Manager rotates secrets periodically to keep the security bar high. Once your secrets are stored with Secrets Manager, you will be able to provide the ARN of a secret instead of a plain text credential to an AWS service. The following services offer Secrets Manager support for customers to securely exchange credentials: