Secrets Manager security best practices

Follow these practices when deploying Secrets Manager for production workloads.

Least privilege

Grant getSecretValue only to principals that need runtime access. Use secrets-read-access for auditors who only need metadata and version history.

Bind IAM policies to specific paths rather than granting access to all secrets in scope. See Access control.

Adopt path conventions early

Use a consistent hierarchy such as /app/{env}/{service}/{name}. Paths are immutable identities — you cannot rename a secret without deleting and recreating it.

Consistent paths make IAM policies, browse navigation, and operational runbooks easier to maintain.

Rotate via versions

Add new versions with putSecretValue rather than delete-and-recreate. This preserves audit history and avoids downtime from path reuse races.

After rotation:

1. Confirm all consumers use the new version
2. Destroy superseded versions to limit exposure and stop version storage billing

Destroy old versions

After a successful rotation, destroy versions that are no longer needed. Destroyed versions cannot be read but remain in history for audit purposes.

Use access policies

Apply IP restrictions for secrets accessed only from known networks (for example, VPC CIDR ranges). Use time windows for human-operated break-glass secrets accessed during business hours.

Access policies complement IAM — they do not replace it. See Access policies.

Maintain KMS key hygiene

Do not disable or delete KMS keys that are still bound to active secrets. Before decommissioning a KMS key, identify and migrate all bound secrets.

Monitor for secrets where the bound KMS key is not active.

Never log values

Applications, CI pipelines, and consoles must not persist or log getSecretValue responses. Treat revealed values as ephemeral.

Audit logs record operations and metadata but never secret values.

Prefer platform generation

For passwords and tokens, use generateSecret rather than accepting user-typed secrets in a browser. The platform generates cryptographically random bytes.

Decode base64 in applications

All values are base64-encoded in API requests and responses. Application code must decode values before use. Document this requirement for your development teams.

Cache carefully

Cache revealed secrets in application memory where appropriate to reduce get-value API calls, but balance caching against rotation schedules and security incident response requirements.

Monitor audit logs

Review secrets.* audit events regularly. Pay attention to:

• Unusual secrets.get_value volume
• Unexpected secrets.put_value (rotations)
• secrets.delete and secrets.destroy_version events

Correlate with kms.encrypt and kms.decrypt entries for full traceability.

Related documentation

• Access control — Role and permission details
• Audit log — Logged fields and actions
• FAQ — Limits and troubleshooting