AWS Secrets Manager: What It Is and When to Use It

Definition

AWS Secrets Manager is a managed service that stores, retrieves, and rotates sensitive values — database credentials, API keys, OAuth tokens, TLS certificates, and any other string or binary up to 64 KB — and delivers them over HTTPS with IAM authorization. Every secret is encrypted at rest with AWS KMS, versioned, audited through CloudTrail, and can be rotated automatically on a schedule you control via a Lambda function (or a built-in rotation template for Amazon RDS, Aurora, Redshift, and DocumentDB).

Secrets Manager solves the "I have credentials in an env var, how do I rotate them" problem. Applications call GetSecretValue at startup (or each invocation), IAM controls who can read what, and rotation happens in the background with no downtime.

How It Works

A secret in Secrets Manager is a versioned container. Each version has:

• A secret string (JSON object of key-value pairs, e.g., {"username":"app","password":"..."}) or a secret binary blob.
• Staging labels — pointers that indicate which version is current. AWSCURRENT is what callers get by default; AWSPREVIOUS is the prior version (for rollback); AWSPENDING is used during rotation.
• A version ID, a unique immutable identifier.

When you create a secret, you choose a KMS key (default: aws/secretsmanager). When you call GetSecretValue, the service authenticates you with IAM, decrypts the value with KMS, and returns it.

Rotation is the headline feature. When enabled, Secrets Manager invokes a Lambda function on a schedule (as short as 4 hours, as long as 365 days via cron). AWS provides managed rotation (the service handles the Lambda entirely) and customer-managed rotation (your Lambda function, scoped to a 4-step pattern: createSecret, setSecret, testSecret, finishSecret). For RDS/Aurora/Redshift/DocumentDB, AWS ships ready-made rotation Lambdas covering both "single-user" and "alternating-users" patterns.

Integration Patterns

• Application SDK — the AWS SDK GetSecretValue call with an in-process cache (the AWS Secrets Manager Client Caching library) reduces request cost and latency.
• Lambda extension — the AWS Parameters and Secrets Extension caches secrets in the Lambda execution environment, reducing cold-start latency and per-invocation API costs.
• Kubernetes — the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver mounts secrets into pods as files.
• ECS — tasks can reference secrets in the task definition; Fargate injects them as environment variables at container start.
• CloudFormation / CDK / Terraform — first-class resource support, including dynamic references at deploy time.

Key Features and Limits

• Max secret size — 64 KB per version (plaintext).
• Versions per secret — up to 100 versions, all billed under the same secret.
• Rotation schedule — 4 hours to 1,000 days (configurable in hours, days, or cron expression).
• Cross-account sharing — attach a resource-based policy to the secret to grant another account read access; the consumer uses IAM + KMS grants to decrypt.
• Cross-Region replication — replicate a secret to multiple Regions for DR; updates to the primary propagate to replicas automatically.
• Scheduled deletion — a 7–30 day recovery window (default 30 days). During the window, RestoreSecret un-deletes it.
• Tags — standard tagging for billing allocation and ABAC.
• Encryption — AES-256-GCM via KMS envelope encryption. SecretBinary supports binary payloads base64-encoded over the wire.
• VPC endpoints — interface endpoints (com.amazonaws.REGION.secretsmanager) keep traffic private.
• CloudTrail — every read and rotation event is logged, including caller IAM identity and requestId.

Common Use Cases

1. Database credentials with rotation — RDS, Aurora, Redshift, or DocumentDB credentials rotated by built-in Lambdas; applications read the latest version at startup.
2. Third-party API keys — Stripe, Twilio, GitHub, OpenAI tokens rotated manually or via custom Lambda when the provider supports programmatic rotation.
3. OAuth client secrets — stored once, fetched at startup by all replicas of an app.
4. TLS private keys — up to 64 KB PEM certificates and keys, retrieved by mTLS-enabled services.
5. Kubernetes workloads — mount secrets into pods via the Secrets Store CSI Driver without committing them to manifests or Helm charts.
6. Cross-account secret sharing — a shared-services account hosts rotation logic and grants reader accounts access via resource-based policy + KMS grant.

Pricing Model

Secrets Manager charges two dimensions:

1. $0.40 per secret per month, prorated hourly. Replicated secrets are billed as separate secrets in each Region.
2. $0.05 per 10,000 API calls (GetSecretValue, DescribeSecret, etc.).

A 30-day free trial is offered per new secret (not a recurring Free Tier). Rotation Lambdas follow standard Lambda pricing. KMS requests count against the regular KMS tier (20,000 free per month; $0.03 per 10,000 thereafter).

Cost optimization: cache the secret in-process (or via the Lambda extension) to collapse thousands of per-invocation GetSecretValue calls into one per container lifetime. For parameters that don't require rotation or rich versioning, AWS Systems Manager Parameter Store offers free standard parameters and may be cheaper.

Pros and Cons

Pros

• Turnkey rotation for RDS/Aurora/Redshift/DocumentDB with AWS-maintained Lambda templates.
• Tight IAM + KMS integration; resource-based policies simplify cross-account sharing.
• Cross-Region replication for DR built in.
• First-class ECS, EKS (CSI), and Lambda (extension) integrations.

Cons

• $0.40/secret-month adds up at thousands of secrets — compare to SSM Parameter Store (free standard) or HashiCorp Vault self-hosted.
• Rotation Lambdas for non-AWS systems require careful 4-step design; bugs can lock you out of the target system.
• 64 KB size cap is generous for credentials but too small for large binary payloads (certificate bundles, full PEM chains may need splitting).
• KMS request and rotation Lambda costs are separate line items that can surprise.

Comparison with Alternatives

| Feature | AWS Secrets Manager | SSM Parameter Store (SecureString) | HashiCorp Vault | | --- | --- | --- | --- | | Rotation | Built-in + Lambda | Manual only | Dynamic secrets engines | | Cross-Region replication | Managed | Manual | Enterprise feature | | Max size | 64 KB | 4 KB (standard) / 8 KB (advanced) | Very large | | Cost | $0.40 / secret-month + API | Free (standard) / $0.05 per advanced param-month | Self-hosted infra + license (enterprise) | | Best for | Rotating DB credentials and API keys | Config values and small secrets without rotation | Self-hosted, multi-cloud secret mgmt |

Exam Relevance

Secrets Manager appears on:

• Solutions Architect Associate (SAA-C03) — choosing Secrets Manager vs SSM Parameter Store; RDS integration patterns; cross-Region replication for DR.
• Developer Associate (DVA-C02) — GetSecretValue usage, caching with the Lambda extension, referencing secrets in ECS task definitions and CloudFormation dynamic references.
• Security Specialty (SCS-C02) — rotation design, resource-based policies, cross-account sharing, encryption context, CloudTrail auditing of secret access.
• Database Specialty — RDS/Aurora rotation models (single-user vs alternating-user).

Classic exam trap: questions that weigh cost against features. If a question emphasizes automatic rotation or RDS credentials, pick Secrets Manager. If it emphasizes free, simple config, or no rotation needed, pick SSM Parameter Store (standard tier). Candidates often miss that SSM Parameter Store can reference a Secrets Manager secret via the /aws/reference/secretsmanager/ path — blending both services cheaply.

Frequently Asked Questions

Q: When should I use AWS Secrets Manager vs SSM Parameter Store?

A: Use Secrets Manager when you need automatic rotation (especially for RDS/Aurora/Redshift/DocumentDB), cross-Region replication, fine-grained resource-based policies, or secrets larger than 4 KB. Use SSM Parameter Store for configuration values, small secrets without rotation, and tight cost budgets — standard parameters are free and advanced parameters are $0.05/month. Many teams mix both: Parameter Store for feature flags and config, Secrets Manager for DB credentials and rotating API keys.

Q: How does automatic rotation actually work in Secrets Manager?

A: Rotation invokes a Lambda function on a schedule that follows a four-step pattern: createSecret (generate a new credential and store as the AWSPENDING version), setSecret (apply the new credential to the target system), testSecret (verify the new credential works), and finishSecret (move the AWSCURRENT label from the old version to the new). For supported databases, AWS provides ready-made rotation Lambdas — you pick single-user (brief downtime) or alternating-users (zero downtime with two database users). For custom systems you implement the four steps yourself.

Q: How much does Secrets Manager cost?

A: $0.40 per secret per month (prorated hourly) plus $0.05 per 10,000 API calls. A 30-day free trial applies to each new secret. Replicated secrets are billed as separate secrets in each target Region. Rotation Lambda invocations are billed at standard Lambda pricing, and KMS decrypt calls count toward the usual KMS tier (20,000 free per month, $0.03 per 10,000 thereafter). Cache secrets in-process or via the Lambda extension to minimize API costs at high request rates.

---

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS Secrets Manager documentation before making production decisions.