Amazon managed policy for Amazon Secrets Manager - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policy for Amazon Secrets Manager

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: SecretsManagerReadWrite

This policy provides read/write access to Amazon Secrets Manager, including permission to describe Amazon RDS, Amazon Redshift, and Amazon DocumentDB resources, and permission to use Amazon KMS to encrypt and decrypt secrets. This policy also provides permission to create Amazon CloudFormation change sets, get rotation templates from an Amazon S3 bucket that is managed by Amazon, list Amazon Lambda functions, and describe Amazon EC2 VPCs. These permissions are required by the console to set up rotation with existing rotation functions.

To create new rotation functions, you must also have permission to create Amazon CloudFormation stacks and Amazon Lambda execution roles. You can assign the IAMFullAccess managed policy. See Permissions for rotation.

Permissions details

This policy includes the following permissions.

  • secretsmanager – Allows principals to perform all Secrets Manager actions.

  • cloudformation – Allows principals to create Amazon CloudFormation stacks. This is required so that principals using the console to turn on rotation can create Lambda rotation functions through Amazon CloudFormation stacks. For more information, see How Secrets Manager uses Amazon CloudFormation.

  • ec2 – Allows principals to describe Amazon EC2 VPCs. This is required so that principals using the console can create rotation functions in the same VPC as the database of the credentials they are storing in a secret.

  • kms – Allows principals to use Amazon KMS keys for cryptographic operations. This is required so that Secrets Manager can encrypt and decrypt secrets. For more information, see Secret encryption and decryption in Amazon Secrets Manager.

  • lambda – Allows principals to list Lambda rotation functions. This is required so that principals using the console can choose existing rotation functions.

  • rds – Allows principals to describe clusters and instances in Amazon RDS. This is required so that principals using the console can choose Amazon RDS clusters or instances.

  • redshift – Allows principals to describe clusters in Amazon Redshift. This is required so that principals using the console can choose Amazon Redshift clusters.

  • redshift-serverless – Allows principals to describe namespaces in Amazon Redshift Serverless. This is required so that principals using the console can choose Amazon Redshift Serverless namespaces.

  • docdb-elastic – Allows principals to describe elastic clusters in Amazon DocumentDB. This is required so that principals using the console can choose Amazon DocumentDB elastic clusters.

  • tag – Allows principals to get all resources in the account that are tagged.

  • serverlessrepo – Allows principals to create Amazon CloudFormation change sets. This is required so that principals using the console can create Lambda rotation functions. For more information, see How Secrets Manager uses Amazon CloudFormation.

  • s3 – Allows principals to get objects from an Amazon S3 bucket that is managed by Amazon. This bucket contains Lambda Rotation function templates. This permission is required so that principals using the console can create Lambda rotation functions based on the templates in the bucket. For more information, see How Secrets Manager uses Amazon CloudFormation.

To view the policy, see SecretsManagerReadWrite JSON policy document.

Secrets Manager updates to Amazon managed policies

View details about updates to Amazon managed policies for Secrets Manager.

Change Description Date

SecretsManagerReadWrite – Update to an existing policy

This policy was updated to allow describe access to Amazon Redshift Serverless so that console users can choose a Amazon Redshift Serverless namespace when they create an Amazon Redshift secret.

March 12, 2024

SecretsManagerReadWrite – Update to an existing policy

This policy was updated to allow describe access to Amazon DocumentDB elastic clusters so that console users can choose an elastic cluster when they create an Amazon DocumentDB secret.

September 12, 2023

SecretsManagerReadWrite – Update to an existing policy

This policy was updated to allow describe access to Amazon Redshift so that console users can choose a Amazon Redshift cluster when they create an Amazon Redshift secret. The update also added new permissions to allow read access to an Amazon S3 bucket managed by Amazon that stores the Lambda rotation function templates.

June 24, 2020

SecretsManagerReadWrite – Update to an existing policy

This policy was updated to allow describe access to Amazon RDS clusters so that console users can choose a cluster when they create an Amazon RDS secret.

May 3, 2018

SecretsManagerReadWrite – New policy

Secrets Manager created a policy to grant permissions that are needed for using the console with all read/write access to Secrets Manager.

April 04, 2018

Secrets Manager started tracking changes

Secrets Manager started tracking changes for its Amazon managed policies.

April 04, 2018