Security

AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account Sharing

Learn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.

約 3 分で読めます

Multi-Region Secrets

Secrets Manager's multi-region secrets feature automatically synchronizes a primary region's secret to up to four replica regions. Each replica has its own ARN but can be accessed using the same secret name. Applications retrieve secrets from region-specific endpoints, so if the primary region fails, they can continue accessing secrets from a replica region. Replicas are read-only, and updates can only be made in the primary region. In the event of a primary region failure, you can promote a replica to primary to enable writes.

Cross-Account Access

In multi-account environments, the recommended approach is to manage secrets in a central security account and reference them from workload accounts. Configure a resource-based policy on the secret to allow GetSecretValue for IAM roles in workload accounts. On the workload account side, attach a policy to the IAM role granting access to the secret ARN in the security account. You also need to configure cross-account Decrypt permissions in the KMS key policy. This setup centralizes secret management while allowing applications in each account to access secrets securely.

Versioning and Availability During Rotation

Secrets Manager manages secret versions using labels. AWSCURRENT points to the currently active version, and AWSPREVIOUS points to the immediately preceding version. During rotation, a new password is created with the AWSPENDING label, and after the database password update and connection test succeed, it is promoted to AWSCURRENT. The alternating users strategy uses two database users alternately, maintaining connectivity through one user while the other's password is being rotated. On the application side, using the SDK's caching library is recommended - it continues using the pre-rotation password within the cache TTL and retrieves the new password when the TTL expires. To deepen your understanding of multi-region architectures, specialized books on Amazon can also be helpful.

Secrets Manager Pricing

Secrets Manager pricing consists of approximately 0.40 USD per secret per month and approximately 0.05 USD per 10,000 API calls. Multi-region replication incurs the same monthly fee for secrets in each replica region. Replicating to 4 regions costs approximately 2.00 USD per secret per month (0.40 x 5 regions). While this is more expensive than Parameter Store's SecureString (standard parameters are free), the value of automatic rotation and multi-region replication should be factored into the decision.

Summary

Secrets Manager's multi-region replication and cross-account sharing enable enterprise-scale secret management. By combining replica placement for disaster recovery, centralized management in a security account, and availability during rotation through versioning, you can build a robust secret management foundation.

Related Services

AWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keysAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS LambdaA serverless compute service that runs code without server management

Related Articles

AWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

AWS Secrets ManagerA service for securely storing, retrieving, and automatically rotating secrets such as database passwords and API keys, eliminating hard-coded credentialsAWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSH