AWS Secrets Manager

Overview

• Managed service purpose-built for secure storage, rotation, and retrieval of secrets.

• Suitable for sensitive values such as passwords, API keys, database credentials, and tokens.

• All secrets are encrypted at rest using AWS KMS.

Key Features

• Automatic Secret Rotation
• Schedule rotation at a defined interval (e.g., every 30 days).
• Rotation logic handled via AWS Lambda.
• Supports RDS, Aurora, and custom rotation workflows.

• Automated Secret Generation
• Rotation can generate new credentials programmatically.
• Automatically updates the service using the secret (e.g., RDS DB instance).

• Deep RDS Integration
• Native support for: MySQL, PostgreSQL, and Aurora.
• Automatically updates DB credentials and syncs with applications using the secret.

• Access Control & Auditing
• Permissions managed via IAM policies and KMS key policies.
• All secret access is logged in AWS CloudTrail.

Use Cases

• Centralized, secure storage for sensitive config values.

• Automated rotation of database credentials without downtime.

• Secure storage of API keys and tokens for third-party integrations.