Amazon Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises. FEATURES: Secure secrets storage AWS Secrets Manager encrypts secrets at rest using encryption keys that you own and store in AWS Key Management Service (KMS). When you retrieve a secret, Secrets Manager decrypts the secret and transmits it securely over TLS to your local environment. By default, Secrets Manager does not write or cache the secret to persistent storage. And, you can control access to the secret using fine-grained AWS Identity and Access Management (IAM) policies and resource-baesd policies.  You can also tag secrets individually and apply tag-based access controls. For example, you can tag secrets used in the production environment as “Prod,” and then write an IAM policy to grant access to these secrets only if the requests are coming from within the corporate IT network. Automatic secrets rotation without disrupting applications With AWS Secrets Manager, you can rotate secrets on a schedule or on demand by using the Secrets Manager console, AWS SDK, or AWS CLI. For example, to rotate a database password, you provide the database type, rotation frequency, and master database credentials when storing the password in Secrets Manager. Secrets Manager natively supports rotating credentials for databases hosted on Amazon RDS and Amazon DocumentDB and clusters hosted on Amazon Redshift. You can extend Secrets Manager to rotate other secrets by modifying sample Lambda functions. For example, you can rotate OAuth refresh tokens used to authorize applications or passwords used for MySQL databases hosted on-premises. Users and applications retrieve secrets by replacing hardcoded secrets with a call to Secrets Manager APIs, enabling you to automate secret rotation while ensuring applications run without interruption. Programmatic retrieval of secrets You can store and retrieve secrets using the AWS Secrets Manager console, AWS SDK, AWS CLI, or AWS CloudFormation. To retrieve secrets, you simply replace plaintext secrets in your applications with code to pull in those secrets programmatically using the Secrets Manager APIs. Secrets Manager provides code samples to call Secrets Manager APIs.  You can configure Amazon Virtual Private Cloud (VPC) endpoints to keep traffic between your VPC and Secrets Manager within the AWS network. You can also use Secrets Manager client-side caching libraries to improve the availability and reduce the latency of using your secrets. Audit and monitor secrets usage AWS Secrets Manager enables you to audit and monitor secrets through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS region, you can audit when a secret is stored or rotated by viewing AWS CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets. Compliance You can use AWS Secrets Manager to manage secrets for workloads that are subject to U.S. Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, or ISO 9001. PRICING: AWS Secrets Manager enables you to rotate, manage, and retrieve secrets throughout their lifecycle, making it easier to maintain a secure environment that meets your security and compliance needs. With Secrets Manager, you pay based on the number of secrets stored and API calls made. There are no upfront costs or long-term contracts. You simply pay for usage, without incurring costs related to infrastructure, licensing, and personnel required to ensure your secrets are reliably and highly available. 30-day Trial Period You can try AWS Secrets Manager at no additional charge with a 30-day free trial. The free trial enables you to rotate, manage, and retrieve secrets over the 30-day period. Your free trial starts when you store your first secret. Per Secret Per Month $0.40 per secret per month. For secrets that are stored for less than a month, the price is prorated (based on the number of hours.) Per 10,000 API calls $0.05 per 10,000 API calls. BENEFITS: Rotate secrets safely AWS Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments. For example, Secrets Manager offers built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials on your behalf automatically. You can customize Lambda functions to extend Secrets Manager rotation to other secret types, such as API keys and OAuth tokens. Retrieving the secret from Secrets Manager ensures that developers and applications are using the latest version of your secrets. Manage access with fine-grained policies With Secrets Manager, you can manage access to secrets using fine-grained AWS Identity and Access Management (IAM) policies and resource-based policies. For example, you can create a policy that enables developers to retrieve certain secrets only when they are used for the development environment. The same policy could enable developers to retrieve passwords used in the production environment only if their requests are coming from within the corporate IT network. For the database administrator, a policy can be built to allow the database administrator to manage all database credentials and permission to read the SSH keys required to perform OS-level changes to the particular instance hosting the database. Secure and audit secrets centrally Using Secrets Manager, you can help secure secrets by encrypting them with encryption keys that you manage using AWS Key Management Service (KMS). It also integrates with AWS’ logging and monitoring services for centralized auditing. For example, you can audit AWS CloudTrail logs to see when Secrets Manager rotates a secret or configure AWS CloudWatch Events to notify you when an administrator deletes a secret. Pay as you go Secrets Manager offers pay as you go pricing. You pay for the number of secrets managed in Secrets Manager and the number of Secrets Manager API calls made. Using Secrets Manager, you can enable a highly available secrets management service without the upfront investment and on-going maintenance costs of operating your own infrastructure.