Introduction
If your infrastructure lives in AWS, managing secrets feels like it should be simple. Amazon built AWS Secrets Manager precisely for this reason β a native, managed service for storing, rotating, and accessing credentials within the AWS ecosystem.
No servers to manage. No open-source complexity. Pay only for what you use.
But is “good enough for AWS” actually good enough for enterprise security? And what happens when your organization grows beyond a single cloud?
In this CyberSecurityO review, we answer those questions with a thorough evaluation of AWS Secrets Manager’s features, pricing, limitations, and where it fits in your secrets management strategy.
Company Overview
Amazon Web Services (AWS) launched Secrets Manager in April 2018, filling a critical gap that previously forced developers to store credentials in environment variables, S3 buckets, or Parameter Store workarounds.
AWS Secrets Manager is a fully managed service within the AWS platform β meaning AWS handles availability, encryption, patching, and scaling. It integrates natively with IAM, RDS, Lambda, ECS, EKS, and virtually every AWS service.
As of 2024, AWS Secrets Manager is one of the most widely used secrets management tools globally, primarily due to AWS’s dominant cloud market share.
What Is AWS Secrets Manager?
AWS Secrets Manager is a cloud-native secrets management service that enables you to:
- Store secrets (API keys, passwords, connection strings, OAuth tokens)
- Rotate secrets automatically for supported services (RDS, Redshift, DocumentDB)
- Retrieve secrets programmatically via API/SDK
- Audit all access via AWS CloudTrail
- Control access using AWS IAM policies
It differs from AWS Systems Manager Parameter Store (a cheaper alternative for non-sensitive configuration) by offering automatic rotation, cross-account access, and a dedicated secrets-first design.
Key Features
1. Automatic Secret Rotation
AWS Secrets Manager can automatically rotate credentials for:
- Amazon RDS (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB)
- Amazon Redshift
- Amazon DocumentDB
- Custom secrets (via Lambda rotation function)
Rotation is scheduled (e.g., every 30 days) and happens without application downtime when implemented correctly.
2. Native AWS Integration
Secrets are retrieved via AWS SDK (Python, Java, Node.js, Go, .NET, Ruby) or CLI. Services like Lambda, ECS, EKS, EC2, and CodeBuild have native integration β no sidecar required.
3. IAM-Based Access Control
Access to secrets is governed by IAM policies and resource-based policies. You can grant cross-account access, restrict to specific VPCs, or require MFA before retrieval.
4. Encryption via AWS KMS
All secrets are encrypted using AWS KMS. You can use AWS-managed keys or bring your own Customer Managed Keys (CMK) for additional control.
5. Versioning & Staging Labels
Secrets maintain multiple versions with staging labels (AWSCURRENT, AWSPREVIOUS, AWSPENDING). This enables zero-downtime rotation β applications can fall back to the previous version during rotation.
6. Cross-Account Secret Sharing
Organizations can share secrets across AWS accounts using resource-based policies β useful for multi-account architectures (AWS Organizations).
7. Secrets Replication
Secrets can be replicated to multiple AWS Regions for disaster recovery and latency optimization.
8. AWS CloudTrail Audit Logging
Every API call (GetSecretValue, RotateSecret, PutSecretValue) is logged in CloudTrail β enabling compliance auditing and threat detection via GuardDuty or third-party SIEMs.
Architecture
Application / Lambda / ECS / EKS
|
βΌ (AWS SDK / API)
AWS Secrets Manager
|
ββββββ΄βββββ
IAM Policy KMS Encryption
|
βΌ
CloudTrail (Audit)
|
Rotation Lambda (for auto-rotation)
Multi-Region:
Primary secret β Replicated to secondary regions β Applications in each region read locally
Use Cases
Serverless Applications (Lambda)
AWS Lambda functions retrieve database credentials directly from Secrets Manager at invocation β no environment variable exposure. The SDK call adds minimal latency (typically < 10ms with local caching).
Containerized Workloads (ECS / EKS)
ECS Task Definitions and EKS pods can reference Secrets Manager ARNs directly β AWS injects the secret value as an environment variable at container startup.
RDS Credential Rotation
For RDS databases, Secrets Manager’s built-in rotation rotates the master password or creates a separate rotation user β ensuring credentials change on schedule without manual DBA involvement.
Multi-Account Architectures
In AWS Organizations, a central security account manages all secrets, while application accounts access them cross-account via IAM roles β a clean hub-and-spoke model.
CI/CD Pipelines (CodePipeline / CodeBuild)
CodeBuild build environments can retrieve secrets from Secrets Manager natively. GitHub Actions and other external CI tools can use OIDC federation to authenticate and pull secrets.
Pricing
| Component | Price |
|---|---|
| **Secret storage** | $0.40 per secret per month |
| **API calls** | $0.05 per 10,000 API calls |
| **Cross-region replication** | $0.40 per replica secret per month |
Example cost: 100 secrets with 1 million API calls/month = $45/month β very affordable for most use cases.
Free tier: None for Secrets Manager (unlike Parameter Store Standard tier which is free).
> Cost tip: AWS Systems Manager Parameter Store SecureString parameters are free (up to 10,000) and suitable for non-rotating, lower-sensitivity configs.
Pros & Cons
β Pros
- Zero infrastructure management β fully managed by AWS
- Native integration with every AWS service
- Automatic rotation for RDS, Redshift, DocumentDB out of the box
- Pay-per-use pricing β very affordable at scale
- IAM integration leverages existing AWS access management
- Secrets replication across regions built in
- CloudTrail audit requires no setup β always on
β Cons
- AWS-only β no multi-cloud or on-premises support natively
- No dynamic secrets β secrets are static (stored values), not dynamically generated
- No encryption-as-a-service β unlike HashiCorp Vault’s Transit engine
- Custom rotation requires Lambda β setup is non-trivial for non-RDS databases
- No namespace/multi-tenancy β limited isolation for multi-team environments
- No open-source option β full vendor dependency on AWS
AWS Secrets Manager vs AWS Parameter Store
| Feature | Secrets Manager | Parameter Store (SecureString) |
|---|---|---|
| Cost | $0.40/secret/month | Free (Standard) |
| Auto-rotation | β | β |
| Cross-account access | β | β οΈ (limited) |
| Versioning | β | β |
| Max secret size | 65,536 bytes | 8,192 bytes |
| Use case | Credentials, tokens | Config + lightweight secrets |
Competitors Comparison
| Feature | AWS Secrets Manager | HashiCorp Vault | Azure Key Vault | Akeyless |
|---|---|---|---|---|
| Cloud-Native | β (AWS) | β (Any) | β (Azure) | β (Any) |
| Dynamic Secrets | β | β | β | β |
| Multi-Cloud | β | β | β | β |
| Auto-Rotation | β (RDS) | β (All) | β (Certs) | β |
| Open Source | β | β | β | β |
| Pricing | Per secret + API | Free (OSS) | Per operation | Per usage |
Best Practices
- Cache secrets locally in your application (e.g., 5-minute TTL) to reduce API costs and latency.
- Use IAM conditions (aws:SourceVpc, aws:RequestedRegion) to restrict secret access to specific network locations.
- Enable rotation immediately for any RDS credential stored in Secrets Manager β don’t wait for a breach to set it up.
- Tag all secrets consistently for cost allocation, ownership tracking, and resource governance.
- Use resource-based policies for cross-account sharing rather than exporting secrets to other accounts.
- Monitor with CloudTrail + EventBridge β alert on unusual GetSecretValue patterns (e.g., unexpected IAM roles, high-frequency calls).
- Never store secrets in Secrets Manager that reference other Secrets Manager secrets β avoid circular dependency.
- Use CMK (Customer Managed Keys) for secrets in regulated environments β provides key rotation control and auditability beyond the default AWS-managed key.
FAQs
Q1: Is AWS Secrets Manager free?
No. There is no free tier. You pay $0.40 per secret per month plus $0.05 per 10,000 API calls. For lightweight config needs, AWS Parameter Store Standard tier is free.
Q2: Can AWS Secrets Manager rotate non-RDS credentials?
Yes, but it requires a custom Lambda rotation function. AWS provides templates, but writing and maintaining rotation Lambdas requires development effort.
Q3: How does AWS Secrets Manager compare to HashiCorp Vault?
Secrets Manager is simpler and zero-infrastructure β great for AWS-native teams. Vault is more flexible, supports dynamic secrets, and works multi-cloud. For AWS-only shops, Secrets Manager is the right default. For multi-cloud or hybrid, Vault wins.
Q4: Can I use AWS Secrets Manager from Azure or GCP?
Technically yes β via API with IAM credentials. But it creates cross-cloud dependency and authentication complexity. It’s not recommended for multi-cloud architectures.
Q5: What is the maximum secret size in AWS Secrets Manager?
64 KB (65,536 bytes). This accommodates most credentials, connection strings, and even certificates.
Q6: Does AWS Secrets Manager support fine-grained per-field access control?
No. Access is at the secret level β you either have access to the entire secret or you don’t. For field-level control, structure secrets carefully or use multiple secrets.
Q7: How do I prevent secrets from being accidentally deleted?
Enable deletion protection by setting a recovery window (7β30 days). Secrets aren’t immediately deleted β you have a window to recover them.
Conclusion
AWS Secrets Manager is an excellent choice for AWS-native organizations that need zero-infrastructure secrets management with automatic rotation and deep IAM integration. Its pricing is transparent, its reliability is backed by AWS SLAs, and its integration surface covers every major AWS service.
Where it falls short is in multi-cloud scenarios, dynamic secrets, and developer experience compared to newer entrants like Doppler or Infisical. It’s also not a replacement for enterprise-grade solutions like HashiCorp Vault or CyberArk in complex, regulated environments.
The verdict: If you’re running workloads primarily in AWS, start here. Layer on HashiCorp Vault or CyberArk if you need dynamic secrets, multi-cloud governance, or deeper NHI capabilities.
CyberSecurityO Rating: 8.0 / 10 ββββ
Alternative Searches
- AWS Secrets Manager Review 2025 2026: Best for AWS, But What About Multi-Cloud?
- AWS Secrets Manager vs HashiCorp Vault: Which One Should You Choose?
- Is AWS Secrets Manager Enough? A Deep-Dive for Security Engineers
- AWS Secrets Manager Pricing, Features & Limits: The Complete 2025 Guide
- 5 Things AWS Secrets Manager Does Well (And 3 Where It Falls Short)
Track the latest in IAM, NHI, and cloud identity security through the Identity Pulse newsletter β published weekly on LinkedIn by CyberSecurityO.
Connect with IAM professionals worldwide:
