How Amazon Secrets Manager uses Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon Secrets Manager uses Amazon KMS

Amazon Secrets Manager is an Amazon service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext. It's designed especially to store application secrets, such as login credentials, that change periodically and should not be hard-coded or stored in plaintext in the application. In place of hard-coded credentials or table lookups, your application calls Secrets Manager.

Secrets Manager also supports features that periodically rotate the secrets associated with commonly used databases. It always encrypts newly rotated secrets before they are stored.

Secrets Manager integrates with Amazon Key Management Service (Amazon KMS) to encrypt every version of every secret value with a unique data key that is protected by an Amazon KMS key. This integration protects your secrets under encryption keys that never leave Amazon KMS unencrypted. It also enables you to set custom permissions on the KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

For information about how Secrets Manager uses KMS keys to protect your secrets, see Encrypting and decrypting secrets in the Amazon Secrets Manager User Guide.