AWS Secrets Manager のアイコン

AWS Secrets Manager Essential2018年〜

Securely manage and automatically rotate database passwords and API keys

About 3 min read

What It Does

AWS Secrets Manager securely stores and manages sensitive information (secrets) such as database credentials, API keys, and OAuth tokens. Beyond encrypted storage, access control, and audit logging, it provides automatic rotation for database passwords. This eliminates the need to hardcode passwords in application code, enabling a secure pattern of retrieving secrets via API calls.

Use Cases

Securely storing and auto-rotating RDS and Aurora database passwords, centrally managing third-party API keys, retrieving secrets from Lambda functions and container applications, sharing secrets across multi-account environments, and automating regular password changes for compliance requirements.

Everyday Analogy

Think of a bank safe deposit box. Instead of keeping important documents (passwords and API keys) in a desk drawer (source code), you store them in a bank vault (Secrets Manager). When needed, you present ID (IAM authentication) to retrieve them, and the service periodically changes the locks (rotation) for you.

What Is Secrets Manager?

AWS Secrets Manager is a service for securely managing sensitive information used by applications. Traditionally, database passwords and API keys were often stored in plaintext in configuration files or environment variables, creating security risks. With Secrets Manager, secrets are encrypted with KMS, access is controlled via IAM policies, and access logs are recorded in CloudTrail.

Automatic Rotation

The standout feature of Secrets Manager is automatic secret rotation. It can automatically change database passwords for RDS, Aurora, Redshift, and DocumentDB on a defined schedule. During rotation, a Lambda function generates a new password, applies it to the database, and stores it in Secrets Manager - all automatically. Since applications always retrieve the latest password from Secrets Manager, rotation causes no downtime.

Using Secrets from Applications

To retrieve a secret from your application, call the GetSecretValue API via the AWS SDK. SDKs for Python, Java, Node.js, Go, and other major languages are supported. For Lambda functions, retrieving secrets from Secrets Manager is recommended over environment variables. For ECS and EKS containers, you can configure secret references in task or pod definitions so secrets are automatically injected at container startup. Using caching libraries reduces API call frequency, optimizing latency and cost. For hands-on implementation details, reference books on Amazon cover the topic in depth.

Pricing

Secrets Manager pricing is based on the number of stored secrets and API calls. It costs $0.40/month per secret and $0.05 per 10,000 API calls. A 30-day free trial is available with no secret storage charges. While more expensive than Systems Manager Parameter Store's SecureString parameters, the built-in automatic rotation capability is the key differentiator.

Things to Watch Out For

  • Cache secret retrieval results in your application to reduce API call frequency. Using AWS-provided caching libraries is recommended
  • Before enabling automatic rotation, test that your application can handle secret changes. Verify that connection pool reconnection logic works correctly
共有するXB!

Related Services

AWS KMS iconAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS Lambda iconAWS LambdaA serverless compute service that runs code without server managementAmazon RDS iconAmazon RDSA managed service providing relational databases like MySQL, PostgreSQL, and Oracle

Related Articles

AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.AWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

AWS Secrets ManagerA service for securely storing, retrieving, and automatically rotating secrets such as database passwords and API keys, eliminating hard-coded credentialsAWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.AWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSH