AW
AWS Secrets Management
Managing credentials, API keys, and sensitive configuration securely
Details
Language / Topic
Amazon Web ServicesCategory
Security
Rules
balanced
- Store all secrets in AWS Secrets Manager or AWS Systems Manager Parameter Store (SecureString)
- Never commit secrets to source control — use .gitignore and pre-commit hooks to prevent leaks
- Reference secrets by ARN in CloudFormation/CDK, never as plaintext in templates
- Enable automatic rotation for database credentials and API keys via Secrets Manager
- Use KMS customer-managed keys (CMKs) for encrypting secrets at rest
- Store all secrets in AWS Secrets Manager or SSM Parameter Store (SecureString type)
- Never commit secrets to source control — use .gitignore, git-secrets, and pre-commit hooks
- Reference secrets by ARN in CloudFormation/CDK, resolve at runtime, never as plaintext in templates
- Enable automatic rotation for database credentials using Secrets Manager rotation Lambda functions
- Use KMS customer-managed keys (CMKs) for encrypting secrets; control access via key policies
- In Lambda, cache secrets outside the handler to avoid fetching on every invocation
- Use AWS SDK with IAM role credentials — never store access keys in application config
- For ECS/EKS, inject secrets as environment variables from Secrets Manager or SSM, not from .env files
- Set up CloudTrail alerts for GetSecretValue and PutSecretValue API calls on sensitive secrets
- Use resource policies on Secrets Manager to restrict cross-account access