How Amazon Secrets Manager uses Amazon KMS

Amazon Secrets Manager is an Amazon service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext. It's designed especially to store application secrets, such as login credentials, that change periodically and should not be hard-coded or stored in plaintext in the application. In place of hard-coded credentials or table lookups, your application calls Secrets Manager.

Secrets Manager also supports features that periodically rotate the secrets associated with commonly used databases. It always encrypts newly rotated secrets before they are stored.

Secrets Manager integrates with Amazon Key Management Service (Amazon KMS) to encrypt every version of every secret value with a unique data key that is protected by an Amazon KMS key. This integration protects your secrets under encryption keys that never leave Amazon KMS unencrypted. It also enables you to set custom permissions on the KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

For information about how Secrets Manager uses KMS keys to protect your secrets, see Encrypting and decrypting secrets in the Amazon Secrets Manager User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Relational Database Service (Amazon RDS)

Amazon Simple Email Service (Amazon SES)