AWS Secrets Manager stores, encrypts, and automatically rotates sensitive credentials like database passwords, API keys, and tokens. It eliminates the need to hardcode secrets in your application code by providing secure, API-based access to credentials at runtime.
How Does Secrets Manager Store and Encrypt Secrets?
Every secret stored in Secrets Manager is encrypted at rest using AWS KMS (Key Management Service) encryption keys. When you create a secret, you provide the sensitive value (a password, connection string, or JSON blob), and Secrets Manager encrypts it before storing. You can use the default AWS-managed key or specify your own customer-managed KMS key for additional control.
Access is controlled through IAM policies — only authorized users, roles, and applications can retrieve secrets. Every access attempt is logged in AWS CloudTrail, creating a complete audit trail.
How Does Automatic Secret Rotation Work?
Secrets Manager can automatically rotate credentials on a schedule you define, without requiring application downtime. Rotation uses a Lambda function that generates a new credential, updates it in both Secrets Manager and the target service (like an RDS database), and verifies the new credential works before retiring the old one.
Built-in rotation support is available for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. For other services, you can write custom Lambda rotation functions.
How Do Applications Retrieve Secrets?
Applications call the Secrets Manager API at runtime to retrieve the current secret value, rather than reading credentials from config files or environment variables. The typical flow is:
- Application calls
GetSecretValueAPI with the secret name - Secrets Manager verifies IAM permissions
- If authorized, the decrypted secret value is returned
- Application uses the credential to connect to the target service
SDKs are available for Python, Java, Node.js, Go, .NET, and other languages. Caching libraries reduce API calls and latency for frequently accessed secrets.
What Does Secrets Manager Cost?
Pricing is based on the number of secrets stored ($0.40/secret/month) and API calls ($0.05 per 10,000 calls). There is no charge for secrets created and deleted within the same day, which is useful during development and testing.
For organizations managing multiple AWS accounts and services, Opsio's IT security services can design and implement a secrets management strategy that includes rotation policies, access governance, and ongoing monitoring of credential usage.