Asm js is ready for production

What is AWS Secrets Manager?

Previously, when you created a custom application that pulls information from a database, you typically had to embed the credentials, the secret, directly into the application to access the database. When it came time to rotate the credentials, you had to do more than just create new credentials. You had to spend time updating the application with the new credentials. Then you distributed the updated application. If multiple applications were using the same credentials and you accidentally failed to update one of them, it would fail. Because of this risk, many customers choose not to rotate their credentials regularly. In the end, however, they only replace one risk with another.

Secrets Manager allows you to replace hard-coded credentials (including passwords) in your code with an API call to Secrets Manager to get the secret programmatically. This ensures that if someone searches your code, the secret cannot be compromised as it is no longer present in the code. You can also configure Secrets Manager to automatically rotate the secret according to a set schedule. In this way, you can replace long-lived secrets with short-lived secrets and significantly reduce the risk of being compromised.

Getting started with Secrets Manager

For a list of terms and concepts that you need to understand to take full advantage of Secrets Manager, see Basic Terms and Concepts for AWS Secrets Manager.

Typical Secrets Manager users can have one or more of the following roles:

  • Secrets Manager Administrator - Manages the Secrets Manager service. Grants permissions to individuals who can then perform the other roles listed here.

  • Database or Service Administrator - manages the database or service with secrets stored with Secrets Manager. Determines and configures the rotation and sequence settings for your secrets.

  • Application Developer - creates the application and then configures it to request the appropriate credentials from Secrets Manager.

Secrets Manager scenario

The following diagram illustrates the simplest scenario. The diagram shows how you can store credentials for a database in Secrets Manager and then use those credentials in an application to access the database.

  1. The database administrator creates a set of credentials in the personal database to be used by an application called MyCustomApp. In addition, the administrator configures the credentials with the permissions required for the application to access the personnel database.

  2. The database administrator stores the credentials in Secrets Manager with the name. Secrets Manager then encrypts and saves the credentials within the secret asProtected secret textout.

  3. When MyCustomApp accesses the database, the Secrets Manager application asks for the secret named.

  4. Secrets Manager retrieves the secret, decrypts the protected secret text and returns the secret to the client application via a secure channel (HTTPS with TLS).

  5. The client application extracts the credentials, connection string, and any other required information from the response and then uses the information to access the database server.

Secrets Manager supports many types of secrets. However, Secrets Manager canNativeCredential RotationSupported AWS Databases with no additional programming. However, to rotate the secrets for other databases or services, a custom Lambda function must be created. This defines how Secrets Manager should interact with the database or the service. You need programming knowledge to create the function. For more information, see Rotating AWS Secrets Manager -S.

Features of Secrets Manager

Programmatically retrieve encrypted secret values ​​at runtime

Secrets Manager helps you improve your security situation by removing hard-coded credentials from the application's source code and no longer stored within the application. Credentials stored in or with the application have the potential to be compromised by anyone authorized to examine the application or its components. This only complicates the process of rotating the credentials because you need to update the application and deploy the changes to each client first before you can make the old credentials out of date.

With Secrets Manager, you can replace saved credentials with a run-time call to the Secrets Manager web service, allowing you to dynamically retrieve the credentials as needed.

Most of the time, your client needs access to the latest version of the encrypted secret value. When you retrieve the encrypted secret value, you can choose whether to provide just the name or Amazon Resource Name (ARN) of the secret with no version information. In this case, Secrets Manager automatically returns the latest version of the Secret value.

However, other versions may exist at the same time. Most systems support more complex secrets than just a simple password - e.g. B. Complete login information including connection details, user ID and password. Secrets Manager can store multiple sets of these credentials at the same time. Secrets Manager saves each sentence in a different version of the secret. During the Secrets rotation process, Secrets Manager will keep track of the older credentials and the new credentials that you want to use from now on until the rotation is complete. This is done using Staging labels.

Storage of various types of secrets

Secrets Manager allows you to store text in the encrypted secret data portion of a secret. This usually includes the connection details of the database or the service. This can include the server name, the IP address and the port number as well as the user name and password for logging into the service. For more information about secrets, see Maximums and Minimums. Protected text does not include:

  • Name and description of the secret

  • Rotation or sequence settings

  • ARN of the AWS KMS customer master key (AWS KMK) that is assigned to the secret

  • Attached AWS tags

Encrypt your secret data

Secrets Manager encrypts the protected text of a secret using the AWS Key Management Service (AWS KMS). Many AWS services use AWS KMS for key storage and encryption. AWS KMS ensures that your secret is securely encrypted at rest. Secrets Manager assigns every secret to an AWS KMS K. This can be either the default Secrets Manager CMK for the account or a customer-created CMK.

When Secrets Manager encrypts a new version of the protected Secret data, Secrets Manager prompts AWS KMS to generate a new data key from the specified CMK. Secrets Manager uses this data key for envelope encryption. Secrets Manager stores the encrypted data key with the protected Secrets Manager. Every time the secret needs to be decrypted, Secrets Manager prompts AWS KMS to decrypt the data key, which Secrets Manager then uses to decrypt the protected secret data. Secrets Manager never saves the data key unencrypted and always removes the data key immediately after use.

In addition, by default, Secrets Manager only accepts requests from hosts that use the open standard Transport Layer Security (TLS) and Perfect Forward Secrecy. Secrets Manager ensures that your secret is encrypted in transit between AWS and the computers that you use to retrieve the secret.

Automatic rotation of your secrets

You can configure Secrets Manager so that your secrets are automatically rotated according to a set schedule without user intervention.

The rotation is defined and implemented using an AWS Lambda function. This function defines how Secrets Manager performs the following tasks:

  • Creates a new version of the secret.

  • Saves the Secrets Manager.

  • Configures the protected service to use the new version.

  • Checked the new version.

  • Marks the new version as ready for production.

Staging labels help you keep track of the different versions of your secrets. Each version can have multiple staging labels. However, each staging label can only be assigned to one version. Secrets Manager, for example, designates the currently active and in use version of the secret as aus. You should configure your applications so that they always ask for the latest version of the secret. When the rotation process creates a new version of a secret, Secrets Manager automatically adds the staging label to the new version until testing and validation is complete. Only then does Secrets Manager add the staging label to this new version. Your applications will start using the new secret the next time they get the version.

Databases with support for fully configured and ready-to-use rotation

When you enable rotation, Secrets Manager supports the following Amazon Relational Database Service (Amazon RDS) databases with Lambda rotation function templates authored and tested by AWS and complete configuration of the rotation process:

  • Amazon Aurora on Amazon RDS

  • MySQL on Amazon RDS

  • PostgreSQL on Amazon RDS

  • Oracle on Amazon RDS

  • MariaDB on Amazon RDS

  • Microsoft SQL Server on Amazon RDS

Additional services with support for fully configured and ready-to-use rotation

You can also enable rotation for the following services, which are fully supported with Lambda rotation function templates authored and tested by AWS and fully configured for the rotation process:

  • Amazon DocumentDB

  • Amazon Redshift

You can also store secrets for almost any type of database or service. However, in order for the secrets to rotate automatically, you must create and configure a custom Lambda rotation function. For more information about how to write a custom Lambda function for a database or service, see Overview of the Lambda Rotation Function.

Control access to

You can assign authorization policies for AWS Identity and Access Management (IAM) to your users, groups, and roles that allow or deny access to certain secrets and restrict the management of these secrets. For example, you can attach a specific policy to a group for the full administration and configuration of secrets. Another policy associated with a role used by an application may only grant read permission for that one secret that is required for the application to run.

Alternatively, you can attach a resource-based policy directly to the secret and thus grant permissions that determine the users who are allowed to read or change the secret and the versions. Unlike an identity-based policy (which is automatically applied to the user, group, or role), a resource-based policy attached to a secret uses the element to identify the target of the policy. The element can contain users and roles from the same account as the secret or principals from other accounts.

Access to Secrets Manager

You can work with Secrets Manager in the following ways:

AWS management console

You can manage your secrets using the browser-based The Secrets Manager console. You can perform almost any task related to your secrets using the console.

Currently, you cannot perform the following task in the console:

  • Storage of binary data in a secret. In the console, data is currently only stored in the field of the secret, the field is not used. You must currently use the AWS CLI or one of the AWS SDKs to store binary data.

AWS command line tools

The AWS Command Line Tools allow you to run commands on your system's command line to perform Secrets Manager and other AWS tasks. This can be faster and more convenient than using the console. The command line tools can also be useful in creating scripts that perform AWS tasks.

AWS offers two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the AWS Tools for Windows PowerShell. For more information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide. For more information about installing and using Tools for Windows PowerShell, see the AWS Tools for Windows PowerShell User Guide.


The AWS SDKs consist of libraries and sample code for various programming languages ​​and platforms, such as Java, Python, Ruby, .NET, iOS, and Android, and others. The SDKs also cover tasks such as cryptographic signing, managing errors and automatically repeating requests. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

HTTPS Query API Secrets Manager

The Secrets Manager HTTPS Query API gives you programmatic access to Secrets Manager and AWS. The HTTPS query API allows you to direct HTTPS requests to the service. If you are using the HTTPS API, you will need to use code to digitally sign requests using your credentials. For more information, see Calling the API Using HTTP Query Requests and the API Reference for AWS Secrets Manager.

We recommend using the SDK for your preferred programming language instead of the HTTPS query API. The SDK performs many useful tasks that you do manually. For example, the SDKs automatically sign your requests and convert the response into a structure that conforms to the syntax of your language. Use the HTTPS query API only if no SDK is available.

Secrets Manager pricing

When you use Secrets Manager, you only pay for what you need, and there are no minimum or setup fees. For the latest full price list, see AWS Secrets Manager Pricing.

AWS KMS - Custom Encryption Keys

If you use AWS KMS to create your own custom master keys to encrypt your secrets, AWS calculates the current AWS KMS price. However, you can use the “standard” key that AWS Secrets Manager creates for your account for free. For more information about the cost of customer-generated AWS KMS keys, see AWS Key Management Service Pricing.

AWS CloudTrail Logging - Storage and Notification

When you enable AWS CloudTrail in your account, you can get logs of the API calls made by AWS Secrets Manager. Secrets Manager logs all events as administrative events. There are no data events. There is no additional charge for capturing a single trail in AWS CloudTrail to capture management events. AWS CloudTrail saves the first copy of all management events for free. However, you may incur charges for Amazon S3 for storing the logs and for Amazon SNS if you enable notification. If you set up additional trails, you may also be charged for the additional copies of administrative events. For more information, visit: AWS CloudTrail The pricing page will appear.