How to Share a Secret (Key) on AWS

Managing secrets in the cloud, like API tokens, database credentials, and encryption keys, used to mean risky workarounds and manual key rotation. AWS Secrets Manager changes that by offering a secure, automated way to store, manage, and retrieve sensitive data across your AWS environment.

Whether you're building apps that talk to databases, calling third-party APIs, or managing multi-account access, Secrets Manager helps keep your credentials safe while reducing the headache of secret sprawl. Let’s explore how it works, costs, and how to use it effectively.

Why Secrets Management is so Important on AWS

Managing credentials in cloud environments can be a nightmare. You need to share secrets between applications, rotate passwords regularly, and avoid hardcoding sensitive data. One mistake (like exposing access keys in your codebase or leaving long-lived credentials in an S3 bucket) can lead to serious breaches.

There's no 100 percent reliable way to extract the account credentials and transfer them while maintaining security. Add to the mix trying to maintain proper security practices like rotating keys and passwords regularly, and you have a hair-tearing nightmare.

Meanwhile, your security team is always anxious about vulnerabilities. To them, the possible solutions are risky. That’s where AWS Secrets Manager comes in. It’s designed to reduce the risk of leaked credentials while simplifying access for authorized services and users.

What AWS Secrets Manager Does (And Why It Matters)

Amazon fully manages its entry into the secret-sharing industry, tying the security of stored secrets and credentials directly to the Identity and Access Management (IAM) access on your AWS account. You can also integrate Secrets Manager with the AWS Key Management System (KMS), which helps further encrypt all of your stored data in the cloud.

AWS Secrets Manager handles the full lifecycle of secrets with features like: 

• Secure Storage: Secrets are encrypted at rest using AWS Key Management Service (KMS). You can use AWS-managed keys or your own customer-managed keys.

• Automatic Rotation: It supports built-in rotation for services like Amazon RDS and custom rotation via AWS Lambda for other secrets.

• Access Control: Ties into IAM policies and resource-based policies to enforce who and what can access each secret.

• Cross-Region Replication: You can replicate secrets to multiple AWS regions for redundancy and failover.

• Monitoring and Auditing: Integrates with AWS CloudTrail and CloudWatch for visibility into usage and changes.

It also supports client-side caching via AWS SDK libraries, which helps reduce API call costs and improve performance.

How Much Does AWS Secrets Manager Cost in 2025?

Secrets Manager is not free, but for many, the security and automation benefits are worth the cost. Here's what you're looking at:

• $0.40 per secret per month, prorated hourly

• $0.05 per 10,000 API calls

• 30-day free trial per account, which is helpful for testing

• KMS charges apply if you use customer-managed encryption keys

• Lambda costs apply if you use automated rotation

New in 2025: AWS now supports cost allocation tags for secrets, letting you track usage by department or project in Cost Explorer.

Don't Want to Share Secrets? Here's Your Other Options. 

If AWS Secrets Manager isn't exactly what you need from your AWS credentials or secret management, there's always the tried-and-true distribution of Access Keys. For obvious reasons, being willy-nilly with your admin-level Access Keys is frowned upon, so there are resources to explain how you can distribute keys that won't leave all your accounts completely vulnerable.

Amazon has suggestions for best practices for managing access keys. You can read their General Reference Document for AWS, but it boils down to this: only give the access you must. They point out that access keys should be kept safe and only created when they're absolutely necessary. Temporary Security Credentials (IAM Roles) can also help keep things safe by giving people the necessary access rather than long-term access.

But like anything else that gives access, IAM roles come with their own vulnerabilities (another reason to seriously consider AWS Secrets Manager). You shouldn't embed the access keys you generate into the code; you should use different access keys for different applications and rotate them. 

Their guidelines when dealing with IAM User Access keys can point you in the right direction, but here's a quick list to help you make a decision: 

Use Secrets Manager for:

• App credentials (API tokens, DB passwords)

• Config values that change regularly or need rotation

• Secrets shared across services or environments

Use something else for:

• IAM credentials: Use IAM roles or temporary credentials via STS.

• Private keys/SSL certs: Store and manage these with AWS Certificate Manager or KMS, not Secrets Manager.

• SSH keys: Use EC2 Instance Connect or Systems Manager Session Manager.

• Parameter values that rarely change: Systems Manager Parameter Store can work well and has a free tier.

No, Clean Rooms Doesn’t Change How Secrets Manager Works

You may have seen AWS Clean Rooms documentation mention “secret keys” or “SSK” (Shared Secret Keys), but this applies specifically to secure data collaboration via Clean Rooms, not the broader Secrets Manager tool.

Bottom line: Secrets Manager is still the go-to service for managing secrets in your AWS environment. Clean Rooms uses it in specific cases but doesn't introduce new functionality to the core Secrets Manager service.

Final Thoughts: Is AWS Secrets Manager Worth It?

If your organization is serious about security and your apps use shared secrets, AWS Secrets Manager is likely worth the cost. The ability to centralize, encrypt, audit, and automatically rotate credentials can save hours of manual work—and help you sleep better at night.

That said, it’s not the only option. For static config data or simple key-value pairs, consider a Parameter Store. If you’re using IAM-based authentication, use IAM roles and temporary credentials instead of managing keys yourself.

Whichever method you use, the most important thing is this: never hardcode secrets. Ever. 

Want to learn more about AWS security? Check out our AWS Certified Security – Specialty (SCS-C02) Online Training.