# Infrastructure security in Amazon Secrets Manager
<a name="infrastructure-security"></a>

As a managed service, Amazon Secrets Manager is protected by the Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see [Amazon Cloud Security](https://www.amazonaws.cn/security/). To design your Amazon environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.amazonaws.cn/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar Amazon Well‐Architected Framework*.

Access to Secrets Manager via the network is through [Amazon published APIs using TLS](asm_access.md#endpoints). Secrets Manager APIs are callable from any network location. However, Secrets Manager supports [resource-based access policies](auth-and-access_resource-policies.md), which can include restrictions based on the source IP address. You can also use Secrets Manager resource policies to control access to secrets from [specific virtual private cloud (VPC) endpoints](auth-and-access_resource-policies.md#auth-and-access_examples_vpc), or specific VPCs. Effectively, this isolates network access to a given secret from only the specific VPC within the Amazon network. For more information, see [Using an Amazon Secrets Manager VPC endpoint](vpc-endpoint-overview.md).