What is AWS Secrets Manager? How to Use AWS Secrets Manager in the CLI?

AWS Secrets Manager

What is AWS Secrets Manager?

The AWS Secret Manager is a service offered by AWS that is fully managed and can be used to securely store, manage and retrieve sensitive information like the API keys, database credentials, etc. which can be used by your apps and services.

It unifies your key storage and access management allowing for minimal risk of unintentional access. AWS Secrets Manager uses AWS KMS, which helps in encrypting and decrypting the secrets available in Keys, and in turn gives a secure and scalable solution to storing the secrets.

It is configured as an integrated component of other AWS services and helps access secrets through the use of programmatic APIs or AWS SDKs for access.

AWS Secrets Manager

Features of AWS Secrets Manager

Securely Store Secrets

AWS Secret Manager applies encryption with KMS keys of AWS which will lock the data at the storage level.

In this manner, risky objects are kept safe. It brings along two blocks of encryption – in transit and at rest conversions from unauthorized access are secure.

Manage the Secret Lifecycle

AWS Secrets Manager lets you manage your secrets by allowing you to create, update or delete them at any time you see them fit.

Its lifecycle steps out secrets, managing versioning and policies that expire, so you can implement Change Control for sensitive information at every stage.

Automate Secret Rotation

Using AWS Secrets Manager secrets can be setting a schedule and then have them auto-rotate on its expiry.

This allows for the implementation of a perfect security model which does security update, delete the unwanted one, and thus the occurrence of exposure to stale credentials.

Access Control

Access control over secrets is governed by IAM Policies which you can use. This can mean that you will be the only one having the access control and you can restrict to all the authorized users and applications, thus creating a secure environment by entrusting the information only to those that need it.

Audit and Monitor Secret Usage

AWS Secrets Manager provides you with logs and monitoring in detail showing IPS/IP addresses accessed the secrets and when.

Apart from this, it gives you a chance to monitor a possible secret or fraud use and to detect any unauthorized access or malicious action.

Cross-Account Access

You can allow users to share secrets among different AWS accounts by applying resource-based policies; so they can collaborate, keeping the task centralized while security remains the top priority.

It also makes it possible for the team to work with the secrets securely because they can have control of the secrets and the access rules between multiple AWS accounts makes it easier.

Using AWS Secrets Manager in the CLI

Create a New Secret and Attach Tags

This command creates a new secret in AWS Secrets Manager with the specified name (my-database-secret) and secret string ({“username”:”{ “admin” : “password”:”secretpassword”. Moreover it creates the label for category and classification.

In this case, the annotation is: Environment= Production.

aws secretsmanager create-secret --name my-database-secret --secret-string '{"username":"admin","password":"secretpassword"}' --tags Key=Environment,Value=Production

List All Secrets

Here is the command that displays all the secrets you have stored in AWS secrets manager. It provides the details of each secret such as its name and Amazon Resource Name (ARN).

aws secretsmanager list-secrets

List All Versions of a Secret

This query will display all existing versions of a general secret called “my-database-secret”. It consists of information like the instance ID, version stages, and the date of versioning for each version considered.

aws secretsmanager describe-secret --secret-id my-database-secret

Get a Secret Value

This command exhibits the secret value (for instance, the username and password) for a particular secret diete-secrets. It returns the secret data and displays it in plaintext.

aws secretsmanager get-secret-value --secret-id my-database-secret

Retrieve the Previous Version of a Secret

This command will look for the secret value corresponding to the old version of a particular secret name (my-database-secret). The decrypt process gives you a chance to retrieve previous versions of secrets that have been regenerated or updated.

aws secretsmanager get-secret-value --secret-id my-database-secret --version-stage AWSPREVIOUS

View the Details of a Secret

This command (my-database-secret) gives out different possible data of the secret (my-database-secret). It contains tags whose names, descriptions are included, their rotation configurations, and tags as well are listed.

aws secretsmanager describe-secret --secret-id my-database-secret

Modify a Secret

This command updates my-database-secret, which is the specific secret data that is being used. It yields the ability for you to alter the contents of the secret, for instance, by changing the short name or the password.

aws secretsmanager update-secret --secret-id my-database-secret --secret-string '{"username":"newadmin","password":"newsecretpassword"}'

Create a Secret and Encrypt It With KMS Key ID

The aws-encrypt API call will produce a new secret in the AWS secrets manager powered by the AWS Key Management Service by utilizing the KMS key (<KMS_KEY_ID>). It gives you the ability to hold securely confidential data due to the fact that encryption is used.

aws secretsmanager create-secret --name my-encrypted-secret --secret-string "confidential_data" --kms-key-id <KMS_KEY_ID>

Create Key/Value Pair Secret from a JSON file

Provides a secret creation process of a new secret (my-json-secret) from a JSON file (my-secret.json) full of key/value pairs using AWS Secrets Manager. It supports you that you can attach them to other AWS features like AWS Secrets Manager.

aws secretsmanager create-secret --name my-json-secret --secret-string file://my-secret.json

Delete a Secret

This command removes the secret named my-database-secret from AWS Secrets Manager, which is a service that keeps sensitive information and credentials in a secure manner. It creates a combo that can potentially prevail forever as well as destroy the memory of the hex along with its cryptic data.

This –force-delete-without-recovery option allows deleting the secret without even the option to save it.

aws secretsmanager delete-secret --secret-id my-database-secret --force-delete-without-recovery


Through AWS Secrets Manager, sensitive information, which is a core component of security, can be stored and accessed in the most secure way. Using the AWS CLI, you can create automation in secret management and then incorporate these secrets seamlessly with the application and workflow frameworks.

You must make use of AWS Secrets Manager in order to increase your AWS infrastructure security level and to ensure that your confidential data remains protected at all times.

Recommended: How to Use Microsoft SignTool with AWS CloudHSM to Digitally Sign Authenticode Files?

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.