Search code examples
amazon-web-servicesaws-secrets-manager

AWS secrets manager: how to decrypt data when secret has been rotated?

This question is about the rotation of AWS secrets manager. When creating a secret, you could choose rotation frequency, but I can't figure out how rotation works.

Imagine a scenario like the following.

  1. You create a secret A1 in aws secret manager, and specify the rotation frequency is 30 days.

  2. You encrypt the data with A1.

  3. 30 days later, A1 has been rotated to be A2.

  4. then, you program retrieves AWS secret manager and got the value of A2. How do you decrypt the data that has been encrypted with A1?

enter image description here

Solution

  • Secrets Manager rotation is primarily used for API keys or passwords.

    Your encrypted values are stored in the Secrets Manager secret, but the encryption key itself is stored in KMS.

    When the rotation occurs, these values are replaced by the same KMS customer master key will be used to encrypt the new value.

    If you're ever wanting to store an encryption key you would use either AWS KMS, or AWS CloudHSM (if your organisation has specific regulatory requirements or wants to invest in a dedicated HSM).