To help AWS customers handle credentials more securely, Amazon last week announced AWS Secrets Manager. The new service that allows AWS customers to store and retrieve passwords, OAuth credentials, binary data, and other types of secrets, such as API keys, via an API or the AWS CLI.
All secrets added to AWS Secrets Manager are encrypted with a user-selected KMS key and access to secrets can be controlled using IAM policies.
The storage and management of secrets is a significant part of keeping applications secure and the failure to do so has been implicated in numerous security incidents. In some cases, developers have even hard-coded API keys and credentials in their code, where they can leak into code repositories and be exposed to the public.
AWS Secrets Manager offers an alternative to insecure practices that can create significant security risks and it also alleviates some of the challenges associated with managing and using secrets at scale. For example, using AWS Secrets Manager, organizations can set up AWS Lambda functions that automatically rotate credentials on a defined schedule, a best practice that is all too frequently not adhered to in part because it can be tedious.
AWS Secrets Manager has a cost of $0.40 per month per secret and $0.05 per 10,000 API calls.