AWS Secrets Manager is a security service to centrally manage sensitive information and eliminate the need to hard-code that information into an application.
An administrator stores information, or "secrets," such as user names, passwords, database credentials and API keys inside AWS Secrets Manager to limit unauthorized access to Amazon services and applications built on its cloud platform. The service can also manage secrets that pertain to resources on premises and other third-party platforms.
AWS Secrets Manager attributes
Secrets Manager removes the need to embed credentials into an application, which is done sometimes so the application can access databases and other services. Instead, that information is retrievable programmatically via an API call, so a user doesn't have to update an application every time credentials are rotated.
An administrator can rotate credentials automatically, or set a rotation schedule. Credential rotation doesn't require any additional steps for native AWS database services but a user must create a custom AWS Lambda function to establish how Secrets Manager interacts with external services.
An administrator can store text up to 4096 characters in a single secret. That could include the actual information being kept private, as well as any pertinent information about connections to a related database or service. Labels are used to identify and track various versions of rotated secrets, and there can be up to a maximum of 20 labels on a version. A user query will be directed to the current version of the secret, unless that query specifically requests a previous iteration.
AWS Secrets Manager integrations
The service integrates with AWS Key Management Service (AWS KMS) to encrypt sensitive data. It only accepts requests from hosts that use the Transport Layer Security and Perfect Forward Secrecy standards, which ensures those secrets remain encrypted in transit.
An administrator can attach AWS Identity and Access Management policies to designated users or groups in order to distribute or limit access to secrets. The service also works with AWS CloudTrail and Amazon CloudWatch Events. An administrator can use CloudTrail to check secret rotations or CloudWatch Events to send a notification if a secret is deleted.
AWS Secrets Manager pricing
As of December 2018, the service is charged on a per-use basis, including $0.40 per secret per month, and $0.05 per 10,000 API calls.
The default AWS KMS key is free with the service, but there are additional charges if an administrator opts to create a custom master key through AWS KMS. Furthermore, there may be other charges for the use of multiple management events in CloudTrail, as well as Amazon S3 and Amazon Simple Notification Service fees for log storage and notifications.